Security experts are not pleased that ‘1Password’ is pushing users to the cloud

“1Password is moving away from its one-time license, local storage option, and security researchers are not happy about it,” Lorenzo Franceschi-Bicchierai writes for Motherboard.

“What makes 1Password different, and more desirable for certain sectors of the hacker and security community, is that it allows users to keep all their passwords stored in a local ‘vault,’ a password protected database that only lives inside their computers or smartphones,” Franceschi-Bicchierai writes. “For some, this is better because your passwords never leave your computer, meaning that the user has complete control over their passwords — a hacker would have to go after that specific user as opposed to possibly getting them from 1Password if the service itself is hacked.”

“Last weekend, though, several security researchers tweeted that 1Password was moving away from allowing people to pay for a one-time license and have local password vaults, in favor of its cloud-based alternative that requires a monthly subscription,” Franceschi-Bicchierai writes. “A 1Password engineer explained in a Twitter chat that the company knows ‘without a doubt that 1Password.com is better for usability and security,’ referring to the cloud-based option, which costs $2.99 per month (or $4.99 for an account for up to five people).”

Read more in the full article here.

MacDailyNews Take: As we’ve written many times before:

Always use unique passwords and use Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, it works like a dream.

SEE ALSO:
‘Secrets’ is a simple, no-frills password manager for Mac and iOS – January 20, 2017
A comprehensive guide to Apple’s very useful iCloud Keychain – January 4, 2017
7 password experts explain how to lock down your online security – May 5, 2016
Why a strong password doesn’t help as much as a unique one – July 22, 2015

47 Comments

  1. I use 1Password and saw in the previous update that they are pushing users to the cloud. I believe that they do offer options for cloud services though (which, yes, I do realize are themselves vulnerable cloud services) but I believe that iCloud is one of the options. I can’t remember. I know that Dropbox was an option. We’re getting back to the days where truly private data have to be written and stored securely yourself and that brings about its own security issues.

    1. Cliick on a link in an email while logged into dropbix and malware can encrypt your dropbox faster than you can say “ransomware”.

      I dropped dropbox and went 100% iCloud. Someone figures out how to ransomware iCloud accounts with secure passwords and I will eat my hat.

    2. I had been using 1Password for years. The last 2 months I’ve been using Enpass without any problems. I’m liking it better than 1Password now: no subscription, has mobile/desktop versions, and very stable. I’m not associated with the Enpass group.

  2. It would be nice if Safari’s password suggestion feature popped up for all sites needing passwords. It doesn’t and I hate having to come up with new ones on the fly. GRC Password Generator seems to come up with really good random options when I’m able to use it.

    And I’m sure I’m using it wrong but ones stored on my MBP don’t migrate over to my iPhone and iPad.

    Plus, the passwords it suggests are a pretty generic format xxx-xxx-xxx-xxx How about options for longer and more advanced ones?

    1. Keychain Access is great, I use it on the Mac to store passwords and other secured info that doesn’t necessarily go through Safari. Apple really needs to make something similar for iOS; Safari passwords is insufficient to the task.

  3. I have used 1Passwords for years now and have paid for SW upgrades because it is a very solid product I am pleased with. However, there is no way I am migrating to a new version on the Cloud. They sure can try to push me, but I am more likely to write my own password manager than accepting the change. My main concern is that they would become a prime target for hackers and that is a security risk I am not willing to take.

    1. i am a long-time user of 1password. i am looking for something else now. i gave up on adobe due to subscriptions and it looks like i will be doing again for 1password. too bad. it was a very good product.

          1. 1Password has had its problems as well:

            Yes, “design flaw” in 1Password is a problem, just not for end users
            It may very well be time for a new and improved hashing function.

            What’s unique about LastPass is that its code is open source, meaning it can be vetted. To my knowledge it has now been vetted twice. That’s a good thing. They’ve been extremely responsive when security bugs were found.

            I do note however that they too have a subscription plan if you want their ‘premium’ service. *sigh*

    2. not pleased that ‘1Password’ is pushing users to the cloud:

      Yeah, they’re crazy with this one. I’d sooner sync a Numbers password list across iCloud. At least then, hackers would be required to choose specific targets and couldn’t even guarantee that I had the list until after hacking. Who in the hell wants to pay $36/yr for a password manager?

    3. –Yeah, they’re crazy with this one. I’d sooner sync a Numbers password list across iCloud. At least then, hackers would be required to choose specific targets and couldn’t even guarantee that I had the list until after hacking. Who in the hell wants to pay $36/yr for a password manager?

    4. Money is one thing, though not inherently bad. But, safety from skullduggery is entirely another.

      If someone either hacks or puts in a back door to a cloud service, can you imagine the damage that could be done to millions of people instantly who could lose online services and money.

      Just try to get someone at a company by phone today to complain about a hacked account. Take PayPal for instance.

      Paper password records as the ultimate backup can be protected. A USB key can be protected. A simple password protected text file can be protected by both the password and obscurity, where the text file doesn’t even look like it holds passwords.

      Steganography can store passwords in a picture, among thousands on your computer and who knows which picture has the passwords.

      There are so many less expensive ways to keep passwords away from people with a huge profit motive to “break the bank” where the keys are stored to all the money.

      If a software company of utilities starts charging monthly, I think they are going to PO their customers big time.

    1. Don’t over react, they are not pulling the plug on existing users. And there is no “next program” to go on to; all the others are subscription-based already. I’m sure 1Password will eventually stop supporting their old cloud syncing methods, but until then I think it’s still the best solution out there.

      1. First they will stop updating older programs and it seems they already have. While updates have been fairly regular, there hasn’t been one in a while.

        Then of course I’ve found viable open source replacements and others so far, FOR FREE.

        1. v6.2.1 was released April 28th. I’d call that ‘recent’. So don’t panic, yet.

          Meanwhile, look into the best alternative: LastPass. Agilebits know full well that LastPass has an even better reputation than they do. Someone it going to take a bludgeon to their marketing morons and make it clear that dumping the current no-subscription plan is suicide.

          1. As a LastPass Enterprise administrator for over two years, I have to disagree with you. We’re phasing it out of our organization. It gives uses a false sense of security that their passwords are safe. It’s better than nothing, but not much better.

            1. Thank you. I know LastPass only by reputation. Their code has been repeatedly vetted and security flaws found. But they’ve rapidly responded.

              For newbies: Both 1Password and LastPass have relatively excellent reputations. There are probably a dozen alternatives, none of which to my knowledge are considered as safe nor qualify as ‘Trust No One’. Only the user should have access to their passwords, never the service, if you require strict security from surveillance by the usual suspects.

  4. I don’t think you are forced to buy the 1Password cloud membership. I purchased the Pro version and just sync my data to my various devices over Dropbox, iCloud, and my wifi server at home. It was a one time purchase and I’ve been using this for years.

        1. From the same website:

          “If you don’t want a 1Password account

          Alternatively, you can unlock the Pro features with a one-time, in-app purchase. Open and unlock 1Password. Tap Settings > Pro features, then tap the green price button and confirm your purchase.”

  5. 1Password have been shoving this alternative for many months. I’ve ignored it. But if they make a monthly fee mandatory: I’ll jump ship and hello LastPass.

    https://www.lastpass.com

    So far, being a long time 1Password user, I have not even received solicitations to change over. However, anyone checking out their website will see nothing-but their subscription plan. That looks like shite marketing to me, hiding the solo option in order to fake out/fool/screw over potential customers. IOW: Marketing Moron behavior.

    I may have a little talk with Agilebits about this bullshit.

      1. Thanks, I am inclined to do the same. They have a good support team, so this push to cloud is surprising, given that they tried using cloud sync before and they took a lot of heat for it. Customers demanded Wi-Fi sync and they brought it back. I am a paid customer on multiple platforms. I will not submit to cloud sync, iCloud or otherwise.

        BTW: Someone is downvoting all the posts. So I expect the same on this one. Just get rid of the stars and voting. It’s another way people attack and troll each other.

        1. Techies and marketing people live in vastly different worlds. They represent the single worst personality clash in business. I’ll skip my usual lecture on the subject.

          When a negative marketing event, such as this, occurs at a decent business such as Agilebits, I’m relentless. My background at Eastman Kodak taught me well just how destructive bad marketing can be.

        2. I ignore star ratings as I don’t care about popularity or schmoozing here at MDN. I’m here to help with information, opinion and troll trampling. Considering the fact that we’ve had flocks of paid trolls swoop in and kill star ratings of inconvenient comments (against Samsung…) as well as our usual pet anonymous coward stalker trolls, I consider star ratings to be at worst meaningless, at best amusing.

    1. Agilebits has responded to my detailed criticism of their misleading website. The first response was a bot. But one of their support techs then replied with the following, posted below. It’s a lot of safe language with no apology for the deceit that is their website store. I say deceit because their is NO indication that the ‘old’ way to use 1Password is available. IOW: I’m not pleased. I’d rather have heard from their chief marketing moron (aka head of customer abuse).

      Hey Derek,

      Thanks for contacting AgileBits support.

      Thanks also for your very valuable feedback, we really do appreciate it.

      There are currently two different ways of using 1Password and the best route to go is with signing up for our subscription service. With our subscription service you get the latest versions of all the 1Password apps so you can get your passwords from your computer, phone, tablet, and more. Your devices sync automatically — third-party services like Dropbox and iCloud are no longer required. You can even share 1Password with your family members:

      https://1password.com/sign-up/

      For more information on the differences between our older standalone version and subscription service of 1Password, check out this page:

      https://support.1password.com/why-account/

      However, we do still offer our standalone licence if you require one from the App Store or from our online store below:

      https://agilebits.com/store

      I hope that helps. Should you have any other questions or concerns, please feel free to ask.

      Thanks,


      Greig Allen
      Transatlantic Support Jedi @ AgileBits
      Aberdeen, Scotland 🇬🇧
      http://support.1password.com

      It remains the case that their store page does NOT indicate any ability to obtain a ‘standalone licence’ (sic). Shameful.

      I suggest all others concerned about this deceit (IMHO) write Agilebit via their support page. It’s apparently going to take repeated pummeling to end the moronic marketing.

    2. The Register has gotten involved in this marketing moron debacle and provided further insight:

      1Password won’t axe private vaults. It’ll choke ’em to death instead
      Developer promises not to force peeps to the cloud – which it says is way, way better

      In a support forum post earlier this year, a rep told users:

      1Password is no longer marketed as a standalone product. We strongly feel that our 1Password memberships provide a much better experience. If you would like to discuss your particular situation, and what solution may work best for you, please feel free to email us at sales@agilebits.com.

      … Which I did, their response posted above in the thread. It is NEVER satisfactory to hide options for potential customers. It is in fact (IMHO) customer abuse.

      Ahem: LastPass

      It turns out that LastPass also has a ‘premium’ version costing $1 per month. 🙁 Less expensive, but again a subscription model. But at least they put all the options on the table, unlike Agilebits’ moronic marketing (IMHO) dweebs.

      /vent

  6. Been a customer for years, but this is the trend of the web- turn pay once and own it into rent it forever.

    iTunes purchases vs Apple Music
    MS Office vs Office 365
    Companies like Adobe and AutoDesk rent almost everything these days.

    Then there are the gawd awful in-app purchases that have turned previously great one time games into money sucking apps. They juice up the difficulty and sell you upgrades or points to buy skills that would take a very long time to earn just to get a useable play level. Thanks, Tim.

    It is not an exact match for Rent Seeking Behavior in the classic sense, but is close enough. It is a fucked up trend.

    1. BS like this is why I disable automatic app updates. Unfortunately Apple’s app thinning functionality, which is a plus for keeping installed app sizes down, means iTunes can no longer copy the last “safe” version of an app from your iDevice.

  7. I am disappointed by all the whining caused by one poorly-researched article. A better title would have been “Which Security Experts Are Pissed…?” Note the article links to one tweet by a generic Crypto Village Twitter account, not any individual “experts.” 1Password made several responses to try to correct the misinformation. Local vaults are not going away, and no one will be forced into using cloud features. They may stop selling stand-alone to new customers, but so what? That is their right. Isn’t good security worth $3 month? They’re not doing a “money grab” or “gouging” or “betraying” customers: they are making a business decision which will make their business stronger and provide a much more stable and predictable income stream to fund future research and innovation.
    Isn’t one-third the cost of Netflix per month worth it for top notch security for all your private stuff synced among as many devices as you own, including non-Apple devices? iCloud Keychain works great for Wifi password syncing among Apple devices, but it’s severely lacking in features. Have you never needed access to a secure note stored in your Mac keychain and had no way to do it on a mobile device? 1Password can do that.
    Tell you what: before you lose your mind on this, read up on 1Password’s security and multiple levels of encryption, and the fact that unencrypted data never leaves your device, and 1Password can’t decrypt it for you, thus hacking data from their site is useless. https://1password.com/security/
    Read the article linked in the MacDailyNews story, read the Tweet and the responses. Hysteria will get us nowhere.

    1. AgileBits needs to have clear, unambiguous details of the option to sync by other methods than their cloud service.

      Since I was an existing customer I did not have to buy the “upgrade” but new users are being steered to the stupid cloud rental service. This is about getting regular revenue instead of a one time sale or infrequent SW update sales.

    2. By the fourth or fifth app that switches from buy once to pay monthly, all these ‘subscriptions’ begin to add up. I for one am not a fan of RENTING software. Or songs.

      1. Do you own a house? Count up the total of services (utilities included) and rental fees you pay monthly. This is just another service. Car loan? You’re paying for the service of having the bank pay all at once for your car, and you pay the bank for that service monthly. Add it all up yet? Is $2.99/mo for the convenience and security 1Password provides worth complaining about?

  8. I have used 1Password for years. I have 500 items. I sync with iCloud. Since AgileBits went “rent a software” I have more and more challenges getting past the “family share subscription setup” & restoring my “paid” 1Password database on a new laptop or O/S install. 1Passworf Browser plugins are all still broken on all.my browsers since masOS X Sierra

    Any alternatives? Can I export my 500 1Password entries and load into another password vault? Not everything in my 1Password vault is a password BTW (Wifi SSID, Credit Cards, Medical Information..)

  9. “It remains the case that their store page does NOT indicate any ability to obtain a ‘standalone licence’ (sic)” (sic)
    He was clear that he is in Scotland, and that’s how you spell it there.
    https://www.grammarly.com/blog/licence-license/

    And since when is it required that a seller or retailer of anything promote all of their available products? They cannot emphasize the purchase of one of their products over another? The fact that you have to ASK to purchase a certain version of their product is not being deceitful.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.