Security Experts Wary as 1Password Subscriptions Push Users to Cloud-Based Vaults

[MacBH928]

So sad...
1Password was one of those rare pieces of software that actually made your life better and was intuitive to use. Greed is going to kill them. I understand they probably can't survive on a 1 time $30 payment for the rest of their lives, but how about a paid upgrade every 2-3 years.

Locally stored vault and continuous income-Win/Win.

I can only hope that ProtonMail which made a secure Mail service, a VPN, to make a secure non-greedy Password manager. One thing for sure, I can't go back to remembering my passwords like back in the 90s. Shame 1Password, shame.

 

[TimothyB]

Some how due to using the latest versions of 1Password on PC, my vault became unsynced. My iPhone was up to date, while my Dropbox version on PC was suddenly a fraction of what it should of been.

Something went wrong somewhere and trying to correct it was stressful, as the local data on the iPhone could be replaced by the outdated Dropbox instead of the other way around.

The easiest/safest solution was to sign up for the subscription that then imported the current data from the iPhone. It worked, but now I'm stuck on subscription.

 

[silvetti]

Yes, they do, and there’s always the manual option...

I have many issues on macOS that do not work. My banking being one of them.

 

[eyeluvmyimac]

I sure hope they don't turn out to have been lying in the attached screenshots, because I love their products.

From https://discussions.agilebits.com/d...ond-the-subscription-plan-for-offline-version

From https://blog.agilebits.com/2016/08/03/new-1password-hosted-service/comment-page-2/

 

[Zirel]

I have many issues on macOS that do not work. My banking being one of them.

Maybe it’s user error..

 

[groove-agent]

I would never trust my passwords to the cloud. This is a gold mine for hackers. They just sold out their users for a subscription model because they want a deeper hand in your pocket. Id drop them like a
hot potato. Im so glad I didnt invest in this product.

 

[TheMacAvenger]

...That press release is just a large flag saying "come and hack us".

Actually, AgileBits already did that specific press release some time ago:

Our 1Password bug bounty program offers tiered rewards for bug identification, starting at $100. Our top prize goes to anyone who can obtain and decrypt some bad poetry (in particular, a horrible haiku) stored in a 1Password vault that researchers should not have access to. We are raising the reward for that from $25,000 to $100,000.​

I think we'd have heard if someone had been able to claim that prize - at least from BugCrowd, if not from AgileBits themselves. So far, nada -- and that's with people motivated by $100,000 prize working actively on it.

 

[SnoFlo]

Thanks for the Enpass info, guys! Now downloading the app. I have used 1password since its inception. I am on a Windows system now after moving on from OS X so I'm stuck with 1Password's old version 4. I have so many subscription services to pay for that yet another one is just too much for me to bear, more psychologically than financially. Ya know: that feeling of being roped-in indefinitely to a service.

 

[OldSchoolMacGuy]

They won't survive if they don't take the high road. LastPass is $1/mo. We don't want it at that price, either.

LastPass has had a number of security incidents which left users open to exploitation. I 'd never trust them.

 

[horsebattery]

The dont; we should all just not use web banking, dont use backups of our devices, etc. Going back to old way on going into the bank or ATM every time you need your balance, and when you drop your phone losing everything, is nowhere near convenient to do these days in people's busy lives; nor the way people depend on their data being accessible at all times.

There has to be SOME level of realization of risk in the discussion with everything on the internet without a tinfoil hat on that "omg it will be stolen I dont trust anyone"

FYI, I would NEVER use a password manager for a bank, my investment account, or email to begin with no matter how/where it is backed up. There's a HUGE difference between say your Macrumors/twitter/facebook login info where at most you lose access, and a bank/investment where someone can get at your real money and bankrupt you and make you homeless.

How does that follow? Are you proposing storing all your passwords physically in writing or via memory? Because that would run counter to the idea of convenience that you suggested initially as the reason why we shouldn't revert to past behavior. The consequence of desiring both convenience and security is why we have password managers in the first place, because you can have the best of both worlds - simple to generate passwords that have a high degree of randomness, and the ability to store large numbers of them in a secure (encrypted) format.

There is definitely the inherent risk that whatever encryption schemes used by managers are flawed so that even if the encryption password isn't exposed to hackers, the databases become trivial to break into. However, given the benefits I mentioned above, I think that they greatly outweigh the risks otherwise. The amount of support I've seen from the devs at 1Password certainly helps as well.

 

[TheMacAvenger]

This is bad. I want my money back!!!

You should ask them, not proclaim that here. Just out of curiosity, when was your last purchase?

 

[dogslobber]

I think we'd have heard if someone had been able to claim that prize - at least from BugCrowd, if not from AgileBits themselves. So far, nada -- and that's with people motivated by $100,000 prize working actively on it.

$100k for a hack into a well used password repo? Are they kidding? $100k is peanuts for such a hack.

 

[toasted ICT]

There have been many, many breaches of prestigious commercial and government sites....sites that were touted as totally secure. Recently, onelogin:

https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/

They were secure too... right up till when they were not...now 2000+
companies are busy trying to recover from its impacts

Some customers don't see the advantage in the additional risk of hosting their data on a password managers developers web site.

IMO online authentication = extra risk. Clearly, 2FA is no guarantee either.

The 1password folk will assure you that they are different and it cannot happen to them blah blah

But then there is this:
https://1password.com/legal/terms-of-service/
AgileBits, Inc. makes no guarantees, representations or warranties of any
kind as regards the website and associated technology. Any purportedly
applicable warranties, terms and conditions are excluded, to the fullest
extent permitted by law. Your use of the Service is at your sole risk.

Lots of folk don't like subscription model software either......If I paid for subscription software for all the applications (27) on my computer it would cost nearly $900 a month. This ain't a model I will support.

But what is really offensive is AgileBits attitude (just read the responses to customer concerns on their user forum throughout this year) to anyone who does not embrace subscription software with users login codes, passwords, credit card details and secure notes hosted on the developers servers. In my opinion it's annoying, condescending, untruthful and just plain rude.

I think AgileBits have shown their true colours. They had their chance. After nearly a decade I don't use them any more and can no longer recommend them to anyone.

 

[Amazing Iceman]

Glad I chose OneSafe over 1Password.

 

[SnarkyBear]

I oppose the subscription model too, but so far they haven’t announced whether this will be the only way to obtain 1Password in the future. They also have not given a ‘cut-off date’ for standalone updates and have been very generous (having paid for 1Password at least 5 years ago – I cannot even remember when). Even if they do require a subscription, to me that would mean that the service would become more expensive and I'd have to consider whether that price is still worth it to me.

The subscription model IS THE ONLY WAY you can purcahse 1Password now. I discovered this when I bought a new computer and attempted to install 1Password on it. Several emails with the company confirmed this.

I REFUSE to subscribe to an app, so I am seeking alternative measures now--which may be going back to using a locked excel spreadsheet if I have to.

UPDATE: I see now that it is only the Windows version that is subscription only. As this is a forum of primarily Mac users, please disregard the above rant.

 

[bice]

For all those who are saying "it doesn't matter where the data is stored because it is encrypted": Don't you think there is a security issue with telling hackers where to find millions of password, even if they are encrypted?

Also, for those saying Apple keychain is also in the cloud: You have a choice. You can set up your own syncing process without involving any third party server if you like. It takes some fiddling, but I guess security and convenience are not really combinable.

And yes, I do own and use 1Password.

 

[mrr]

I do not want subscription model.
I do not want cloud access.

I am glad to buy upgrades and want to keep things local.

 

[78Bandit]

For some that $36 is going to be a non-starter. Best to look for some free open source stuff then.

For many it isn't the $36, it's the principle of not being forced into a subscription when the subsequent development isn't worthy of a constant fee. I gladly paid $10 for iOS and $25 for Windows licenses of 1Password. They still do everything I need them to and I think it was a wise purchase. I'm not insistent on "free open source" as I will pay for something of value; however, I'm also not going to upgrade unless there are compelling new features or something breaks the old version. Any company that takes that choice away from me is going to lose my business.

I'll pay a subscription fee for a product that needs constant updating. I buy TurboTax every year because tax laws change and I absolutely have to have the latest version or the results won't be accurate. On the other hand, I'm still rocking Quicken 2014 since it does what I want and the newer versions don't provide any additional benefit for my use.

Developers need to stay on top of their game and produce worthy new features so customers will want to pay to upgrade. The switch to a subscription model seems like an easy way out to get a guaranteed revenue stream even as feature development stalls.

 

[horsebattery]

There have been many, many breaches of prestigious commercial and government sites....sites that were touted as totally secure. Recently, onelogin:

https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/

They were secure too... right up till when they were not...now 2000+
companies are busy trying to recover from its impacts

Some customers don't see the advantage in the additional risk of hosting their data on a password managers developers web site.

IMO online authentication = extra risk. Clearly, 2FA is no guarantee either.

[snip]

I realize that you added a disclaimer "The 1password folk will assure you that they are different and it cannot happen to them blah blah", but really, your comparisons aren't particularly apples-to-apples. For one, if 1Password truly doesn't store the vault's master password on their servers, then similar to how Apple deals with encryption on the iPhone (i.e. your passcode), then 1Password really doesn't have a way to decrypt your passwords even if the databases were hacked. The update from the Kerbs article seems to suggest that in OneLogin's case, the encryption keys may reside on the server's end and therefore that decryption risk may also be there.

Like I mentioned in my previous post, inherent risks will exist in general in software (and life). But ignoring the benefits seem to be self-defeating.

 

[Quu]

I won't buy their software again (Purchased Windows once and the Mac version twice, never again!)

https://www.enpass.io/ all the way. Looks just like 1Password but it's free for Win+Lin+Mac, Paid on iOS ($9.99 one time fee no subscription rubbish).

 

[Quu]

I realize that you added a disclaimer "The 1password folk will assure you that they are different and it cannot happen to them blah blah", but really, your comparisons aren't particularly apples-to-apples. For one, if 1Password truly doesn't store the vault's master password on their servers, then similar to how Apple deals with encryption on the iPhone (i.e. your passcode), then 1Password really doesn't have a way to decrypt your passwords even if the databases were hacked. The update from the Kerbs article seems to suggest that in OneLogin's case, the encryption keys may reside on the server's end and therefore that decryption risk may also be there.

Like I mentioned in my previous post, inherent risks will exist in general in software (and life). But ignoring the benefits seem to be self-defeating.

It doesn't matter if they store your password on their servers or not. If they get breached and thousands of peoples vaults are taken the cracking will begin. Many people won't use a super strong password on their 1Password vault and that is the seed which determine your encryption key for your vault.

Now instead of breaking 1 website login (like when they compromise say a forum you use) they will break your entire vault and get hundreds of logins to every website you use.

Can you imagine how long it would take to change EVERY password? I have over 350 logins in my 1Password vault. I do not want my vault store on their servers, this isn't a question about it being encrypted with a password that is stored on their servers or not this is about it being cracked in the event it gets stolen in a breach.

 

[Weaselboy]

I only use apple Keychain for passwords and a app that only stores passwords local on each device.

But isn't keychain using iCloud ?

It is optional in the iCloud settings.

 

[calvinneal]

The Canucks have gone for the money and the nice house in Aruba..

 

[X--X]

https://www.enpass.io/ all the way. Looks just like 1Password but it's free for Win+Lin+Mac

Don't you think free is a strange business model?

Plus, the company is located in India, which has very sporadic privacy laws and those are not even actually enforced.

 

[Dan From Canada]

The subscription model IS THE ONLY WAY you can purcahse 1Password now. I discovered this when I bought a new computer and attempted to install 1Password on it. Several emails with the company confirmed this.

I REFUSE to subscribe to an app, so I am seeking alternative measures now--which may be going back to using a locked excel spreadsheet if I have to.

I think you are mistaken. I have the non-subscription model and it was available from here.

https://agilebits.com/store