Why are so many people mad and disappointed that 1Password is providing a subscription for those who are interested? If one isn't interested, one can continue to use 1Password like it has been offered for years.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Experts Wary as 1Password Subscriptions Push Users to Cloud-Based Vaults
- Thread starter MacRumors
- Start date
- Sort by reaction score
Why are so many people mad and disappointed that 1Password is providing a subscription for those who are interested? If one isn't interested, one can continue to use 1Password like it has been offered for years.
You're mixing up the master password that users create and the account key that 1Password generates. This is why for all intents and purposes, if the vault databases are obtained by attackers, they are still essentially worthless.
Mass resetting passwords is definitely an issue currently, but letting that be a hindrance should a breach does occur (and that the secret key implementation is flawed) seems to me as allowing perfect to be an enemy of the good.
The subscription is one of two choices offered. One can use 1Password without purchasing a subscription. The older business option is still in place, as confirmed by 1Password.
Yeah, except just a few months ago when they introduced subscription, they said a separate - pay once - version will continue to be developed and will continue to be available for purchase.
They broke their word, individual licenses are now gone. There won't be any future stand alone version (good luck updating your OS if the current version of 1Password breaks).
Next step will be taking out local vaults in a future 1Password update, they already did exactly that on the windows version.
They have lied over and over again, just for the purpose of watering down the outrage about this change over many months, keeping users in the dark about the future of the software.
Just as a side note, most open source projects are happy to accept donations.
I generally donate to all projects whose software I use regularly.Open source has many advantages besides not requiring payment ...
Ohh that's right I forgot about those iCloud settings.
Yup mine is using the cloud lol
Lots of people here making perfect the enemy of good. I get not wanting another subscription service, that argument makes sense. Personally I feel AgileBits gives enough value via frequent updates that the sub is worthwhile to me (see their recent update implementing travel vaults to avoid revealing your sensitive info to border agents, a feature that I believe is unique to 1Password).
As for the cloud argument, most of the complaints here feel weak to me. What is your alternative? If you want your passwords to sync, you have to use some kind of cloud service. 1Password's entire reputation is built on keeping passwords safe, so it is in their best interests to shore up security. They're not open source, but name me an open source password manager that is as polished, fully featured across all platforms, and regularly updated like 1Password is, oh and that also lets you use your own sync service. I can promise you this product doesn't exist. KeePass is great in theory but the implementation on iOS is so poor that it loses any advantage it has by being open source.
There are other closed source services but IMO only a few have the reputation of 1Password and those are either subscription based, central server cloud based, or both. I've done a lot of research trying to find a better replacement for 1Password that checks all my security boxes, and currently nothing is better for my needs. Bitwarden comes closest, but it's not as fully featured as 1Password, doesn't have a desktop app, and uses cloud storage anyway.
There is no perfect password manager, but of all the options out there, 1Password's imperfections are the least offensive to me.
As for the cloud argument, most of the complaints here feel weak to me. What is your alternative? If you want your passwords to sync, you have to use some kind of cloud service. 1Password's entire reputation is built on keeping passwords safe, so it is in their best interests to shore up security. They're not open source, but name me an open source password manager that is as polished, fully featured across all platforms, and regularly updated like 1Password is, oh and that also lets you use your own sync service. I can promise you this product doesn't exist. KeePass is great in theory but the implementation on iOS is so poor that it loses any advantage it has by being open source.
There are other closed source services but IMO only a few have the reputation of 1Password and those are either subscription based, central server cloud based, or both. I've done a lot of research trying to find a better replacement for 1Password that checks all my security boxes, and currently nothing is better for my needs. Bitwarden comes closest, but it's not as fully featured as 1Password, doesn't have a desktop app, and uses cloud storage anyway.
There is no perfect password manager, but of all the options out there, 1Password's imperfections are the least offensive to me.
I have seen the headlines but never read the stories. Was any data ever taken that was usable ? LastPass advertises that they do not have access to your password, encryption keys and if you have 2 factor turned on you are safe. I am just curious about what others think of cloud storage for such items. I currently use 1Password with iCloud sync.
i guess the point is, whether your DB is local or in the cloud, if you assume it is public and can be stolen there is no difference. your passphrase protects it.
Lastpass has been hacked, but they work quite differently to say 1password, keepass, etc.
i'd personally never use lastpass, because i don't understand or trust their architecture and i already found solutions i do trust.
Last time I checked the supermarket did not say they would not sell you, for example, milk unless you signed on for weekly, monthly or annual payments.
Software is moving towards becoming a commodity. Soon there will be no reason for software business models that require software to be continuously revised, have useless features added, etc. all to generate revenue. Software companies are trying to get in under the wire with subscriptions before this happens because people are tired of paying big bucks for un-needed upgrades. The hope from software companies is that you won't miss the monthly fee and therefor will not question it.
If you have 30 apps that you pay $2 per month, that ends up being $720 per year, every year whether you need to upgrade or not. Great for developers, terrible for future users.
For this model to work, the monthly subscription needs to significantly less than $1.
I understand the complaint with this specific article, but in general people need to accept that subscriptions are the future of software. This isn't iOS 2 (or whatever it was called) and most of the apps are sound effects that cost a dollar.
Enlight Photofox, for example, is a serious application that takes a lot of money to make and maintain. Pay your your god darn apps. Good things don't come cheap (unless they sell your data).
Back in the day you'd buy software on a CD in a box at Staples that would cost $40+. I think a lot of people need to remember those days and stop complaining about an app that took a year to create costing more than $1.
Enlight Photofox, for example, is a serious application that takes a lot of money to make and maintain. Pay your your god darn apps. Good things don't come cheap (unless they sell your data).
Back in the day you'd buy software on a CD in a box at Staples that would cost $40+. I think a lot of people need to remember those days and stop complaining about an app that took a year to create costing more than $1.
Not necessarily. I sync only over my local network.
What happens if someone hacks their web site and replaces the Javascript that they use for the browser-based encryption when you access your database via the web site?
Which iOS app did you try? If you want cloud syncing, there are some Keepass-compatible apps that can do that (e.g. KyPass, which supports Dropbox, Google Drive and iCloud Drive; it's not open source though).
They are probably being forced by government secret courts to grant them back doors to cloud information and they are not allowed to disclose this information to their customers. Don't be surprised if we find someday that they have already been given access to icloud, but the goverment still has to decrypt it themselves. The next Snowden will reveal all this in Prism 2.0 in 2020.
i agree with your post except for the bit regarding banking details and password management.
whilst nothing is perfect, i suggest that using strong unique, fully random passwords for your financial stuff is essential. and anything you can remember does not meet those criteria. so you need to store it somewhere.
the vault is a way better option than post-it notes or paper that can far more easily be stolen, lost, destroyed, etc.
Last edited:
I never access my 1Password database via a website. I only access it using the apps. If I'm not on my own device I pull up the password I need on my phone and type it manually.
As for KeePass, I've tried all the iOS apps. They can sync via Dropbox but I've found none that can auto fill passwords via the sharing tab. That's essential functionality for me.
if you don't trust encryption then sorry but you're boned.
the only way trust on the internet works for banking, secure network traffic, etc is encryption.
and the encryption used for those things is far easier to break due to using less rounds of encryption and usually less secure, faster ciphers than your typical password manager.
your passwords are already out there in hash form everywhere on the internet. your banking info is already traversing the internet in encrypted form. if you do not trust encryption, then sorry but that horse has already bolted whether you use a password manager or not.
This is not correct because you can login to their website without any plugin installed in your browser and unlock your vault. So at some point down the chain the password is used to encrypt the vault. Whether that means your password is used to retrieve something from their site database or not - All of this could be stolen in a breach and then the cracking starts.
Yes. If I create a new password on the go with my Macbook, it syncs to my phone (Wifi) - I have it on that machine or that phone, where I need it at that moment, and as soon as I come home it syncs to my desktop Mac Pro, where I can use it as well.
All locally stored without putting my whole life on someone else's server.
And that is what AgileBits is destroying now.
They make their money from selling the mobile app and it doesn't matter where they're based, they don't have a copy of your passwords, it is all kept locally on your computer.
https://krebsonsecurity.com/2015/06/password-manager-lastpass-warns-of-breach/ has the details. They didn't get the files, but they got account info like the password hints. And here are 2 interesting comments about lastpass's 2FA:
Hans
June 17, 2015 at 4:28 am
Keep in mind that 2-factor only protects against unauthorized access of the LP infrastructure (website etc). In case your vault is stolen and they are able to crack your master password, the 2-factor will not help you.
AFAIK, your vault is not encrypted with the 2nd factor. At least, I cannot reason how they would do this, as the 2nd factor is a changing number.
LP claims that there is no evidence that the vaults have been copied. (but a very good hacker is able to remove his traces…right? ), so you (and me) will be ok….
-
Matt
June 18, 2015 at 12:11 am
+1
So many lastpass users (of which I am one for my low to medium security passwords) do not understand this. And lastpass marketing doesn’t really do a lot to clear this up. The only protection on your encrypted password list is your passphrase. The second factor just controls whether lastpass gives you the encrypted list.
If the attackers get your encrypted list (which it doesn’t look like they did in this case), then the second factor provides zero extra protection.
