This is strictly a business decision with no regards for serious security.
A subscription model is in their belief the only way to maintain a sustainable business model that includes growth by providing SaaS with recurring revenue. Old school static licenses with local storage will not provide recurring revenue.
> A subscription model is in their belief the only way to maintain a sustainable business model that includes growth by providing SaaS with recurring revenue. Old school static licenses with local storage will not provide recurring revenue.
However I don't really agree with this. I've been buying 1Password since at least version 3 and don't see any reason why I would stop, I've recommended the app to family and friends, and I've bought licenses for my family. 1Password had a sustainable business model, they sold quality, recommendable software with upgrades every couple of years.
edit:
I realise now that "This is strictly a business decision" and "1Password had a sustainable business model" might be seen to be contradictory, but I do see differences. With 1Password subscriptions they will make more money than I estimate I spend on the standalone product. It also means the work put into new features is de-coupled from a release cycle, and therefore the money coming in.
Unfortunately or fortunately (if you are a shareholder of a SaaS public company) we have seen a mass exodus by corporations (see Adobe, MS/o365, Quickbooks, Basecamp, etc.. etc..) that have moved from the traditional purchase a license model to the cloud based subscription model.
While I do understand the benefits of storing certain information in the cloud (GitHub!) when it comes to the storage of critical information such as passwords I'd rather be in control of that information myself and on my own hardware.
While 1Password is correct in suggesting that the cloud model may be the best solution for average users, it runs face first into the best practices of security conscious professionals.
I would personally be willing to pay a premium for a "Pro" version of 1Password with local storage and keep the cloud based subscriptions for people that are either unwilling to or do not have the skill set to manage a local security store.
One more additional note, a move like this should have been more transparent from AgileBits. It looks a bit like they tried to slip one past the goalie, which isn't going to give anyone the warm fuzzies especially when it comes to security products.
FWIW Basecamp (disclaimer: used to work there) never had anything other than a pay monthly SaaS model, and IMO it makes sense given the amount of time people actually spend pulling dynamically updated web pages from the server and is more akin to Github in the usage pattern than something like MS Project or Quickbooks (It's secretly a communications tool).
Wow, what an overly saccharine blog post. Way to reek about insecurity over your own product when your prose comes off as nigh-Orwellian and you get everyone in your team to grin as hard as (in)humanly possible and kiss their own asses in the comments.
I have no issue with them moving to a subscription model and encouraging it. I want to see the company sustain itself, which is a lot harder to do with one-time license purchases.
I think the main issue here is that it doesn't sound like using 1Password via the web browser is a good idea. It also doesn't seem like the onboarding process makes it as clear as it should that your passwords are going up into the cloud instead of only being stored locally (even if the crypto is fine).
> I want companies like AgileBits to thrive […] But I want the choice of where my data reside.
Either you subscribe to their SaaS business model (and trust them to make the right choices with regard to your data) or you don't and keep sovereignty over your data.
If you want data sovereignty, keep your (unencrypted¹) data local, and don't use proprietary software when you can't decide that you don't want the next version after reading the release notes.
1: Where 'encrypted' in this context means encrypted with your local, private encryption keys.
They had a perfectly fine businessmodel. 1Password has been running for years without the SaaS model:
> P. S. Please don’t think our excitement for memberships has anything to do with money. We’re completely self-funded so we don’t have any investors forcing us to make changes by looking solely at our bottom line. We were doing just fine selling individual licenses and AgileBits was already steadily growing before 1Password Teams was even introduced.
They started doing this about a year ago, and I remember some of the AgileBits folks telling me I was full of it: local vaults were still first class citizens, nothing to worry about.
I moved away back then, because the writing on the wall was clear.
After few years of using lastpass (and following few of the more or less serious security breaches there) I am using https://www.passwordstore.org/ on both Mac and Linux machines. Works great, GPG encrypted, GIT synchronized, platform independent.
Wait so the name of the website is stored in plain text? So if I want to store my login for gaymidgetporn.com, there will be a file on my computer with that name?
And anything or anybody on my computer can see all the websites for which I have logins just by doing ls ~/.password-store ?
If someone compromised your machine (even just user-level access, not root) you're already done. Your browser history is not encrypted and they could get the same kind of information from there.
In terms of who needs binary blob diffs, yes, its an overkill. In terms of having easy to set sync method anywhere it works beautifully. Pass has integrated git commands so pass git <command> does everything that git does. Commits are automatic with every change so all I need to do is "pass git push" on one machine and "pass git pull" on another to keep everything in sync.
I haven't used `pass` yet so I haven't tested this. But I would expect them to make git threat hashed passwords as binary. That would make git more like a file system with history, which is just what you want for a password store anyway.
I have used roboform for a decade but they also made a new update which is catastrophic. They removed the decryption password which could be different than the cloud login.
Now if they get hacked, that password can also decrypt my info. Before hackers could get the data but the decryption password was never sent to a server.
Very bad business decision, they are
killing their own product right there.
In the future everyone googling for a password manager
will run into these blog posts where reputable security
researches explain why 1Password is a bad choice.
It's hard to imagine a more harmful reputation
for a company trying to sell a password manager.
I don't think cloud storage is all that uncommon. Even before 1Password introduced subscriptions, they had sync options for things like Dropbox, and those were pretty popular in my experience. I imagine most users would want some sort of offsite storage either way, and cloud storage is the obvious solution.
That said, there are definitely environments where any kind of third-party storage is unacceptable, so they should keep that option around. Still: Most users are probably better served with cloud storage. Usable security beats perfect security.
What I'm more concerned about is that, IIRC, there's no way to go through the on-boarding process for their subscription service without using their website, which relies on WebCrypto. I'd rather have that (and other management features) be part of the native applications, which can use proper code signing. From what I gather from Twitter, their security lead isn't happy with that either, so hopefully this will change.
You're right, you could sync with Dropbox before cloud subscriptions - but you could literally see the file in your Dropbox. In case of the subscription, you don't see it.
I am security aware and keep a significant enough subset of my passwords on Dropbox. In fact, it may be because I am security aware and very good at understanding the risk / reward trade off that I feel comfortable operating this way.
With something like a KeePass or pass, password store as long as you have a strong password and avoid storing multiple or historical versions it is fine. You can't trust any old password manager, if you don't know for sure how it operators on the files, but otherwise this is much lower risk than most people think. Something like 1Password cloud is entirely different from storing a password safe in Dropbox.
I'm security aware and I push my passwords to a (private) github repo. I'm using pass and the passwords are gpg-encrypted using a key that lives on my smartcard. I understand that there's a tradeoff there - mostly that pass does not hide the sites that the account is for, but that works for me, the benefit of having a backup outweighs the potential damage in my case.
I do much the same thing, but I push them to a git repo on a server that I control.
GPG smartcards are super nice for that though, the machines I use on a daily basis don't have access to any of my passwords unless I explicitly decrypt them.
The 1Password app is a good product but the subscription model they are pushing is going to turn people off in droves all of whom will go seek out the next stand-alone password app.
I suggest to stick to 1Password4, which works fine on both Linux (wine) and Windows
Maybe they will eventually realize it was a bad move, and start selling again 1Password4 licenses?
I tried very hard to give them money, to get a license on both my laptop and my tablet but they refused.
I have a working 1Password4 setup on Linux and Windows using Dropbox. I will not waste half a day to upgrade to something less secure. I will keep using it until the firefox browser extension stops working. Then I will patch the browser extension :-)
And for things like these is why I abandoned 1Password, LastPass and any similar services and just decided to roll my own solution.
KeePass has quite a few Android apps (this [1] being my favorite) and even though it might not be as widely used as these more centralized services, I own my data and I know where and when my database gets uploaded. In my case, I use SyncThing [2] as well, which keeps my database neatly synchronized across devices. It's not perfect and certainly has a difficulty curve (Babysitting SyncThing to make sure it's actually running when it should. Oh! Also, try telling Android where to sync and actually save the database outside a few select folders, for example!) but it's not that terribly hard for anyone moderately computer-savvy.
I moved from LastPass to KeepassX. It's not perfect, but it's pretty darn good. I use Dropbox (I know, I know) to sync my vault across devices (I also have the vault backed up externally), and I use Passlfox + KeepassHttp to autofill the browser.
It was a total pain in the ass to set up, but now that it's working it's almost totally pain free. On iOS I use MiniKeepass. I would love to use KeepassTouch, but they won't release their source code (GPL fork of MiniKeepass) to check, so I'm stuck with MiniKeepass.
I have a similar configuration, a KeePass file synced across my devices with Syncthing and it's pain free. I never think about Syncthing every since I configured it. My only worry is if all devices fail at once, I could lose all my password safe, but that's highly unlikely.
We tried passpack at work for a while to be able to share passwords across a small group of people and it wasn't a great experience, mostly because we always had to manually share everything to everyone in the group.
We moved to Lastpass recently because we can have group passwords. Turns out that you cannot even copy the password without displaying it, which I'm very surprised of.
In comparison, the KeePass would be worst if it comes to sharing between a group, but for a single individual, KeePass + Syncthing is amazing. I don't use any plugin, I just open up KeePass, ctrl + f to find the entry, ctrl + b to copy the username, ctrl + c to copy the password. With those shortcuts, it's quick enough for me.
I'm not overly interested in maintaining my own sync service. I'd happily pay for a hosted version of SyncThing (assuming I could verify it) that I don't have to maintain.
I try to balance convenience with security, without being too zealous about either.
Syncthing runs locally, you don't run a separate server with it (although you can, as another participant in the list of clients). When two clients see each other on a local network, or over the internet when you allow the use of the open discovery servers, they sync data. There is no cloud or central service (beyond the optional use of the global discovery servers).
You don't have to maintain anything beyond setting it up and reconfiguring the clients allowed after reinstalling the OS on a client, and occasionally checking on it and updating the software. It's pretty low maintenance.
Passwordstore¹. A single, simple back-end specification — a file and folder hierarchy where each plain text file is encrypted using GnuPG — and a number of clients for any common platform.
If you want to keep it simple, just use the command-line `pass` utility. You can verify the workings of that fairly simple script yourself.
If you want to share your database across multiple machines, you can use git, or a non-cloud synchronisation tool such as Synthing². You can even encrypt
(parts of) your password tree for multiple recipients (all using OpenPGP key-pairs).
Personally, I really like the setup I have with Syncthing and `pass`.
We tried the multiple recipients thing. For operations staff and technical users it is fine, but pass just doesn't work for non-technical users. Even with some of the GUI apps out there.
I was looking for a password manager for a long time and ended up with KeePass. There is KeeWeb version, which looks neat but I think original KeePass app is better because of better plugin support.
I use key file and Master password to access my password storage, which is hosted at Dropbox which is behind 2FA. Key file is hosted locally. So I believe this is more secure than just using Master password.
For iOS , I use minikeepass, you can export the password database from Dropbox if you install the app. The need of exporting password database to Minikeepass each time you make update on other devices is kind of annoying tho.
There is a plugin for connecting KeePass to Dropbox and Firefox has plugin for autocompleting and saving passwords to Keepass, so for me it works perfectly fine on desktop.
But in the end, I don't pay for password manager, and I can control my own data.
What do you mean by powerful? I was a very happy user of 1Password, but their lack of Linux support caused me to leave.
I migrated to https://www.passwordstore.org and am perfectly happy. I always used the keyboard driven password search to retrieve passwords in 1Password. On Linux I just use dmenu. It is as good as any other password manager and I don't have to worry about problems like the ones in this article.
I still like 1Password, but I won't be going back.
I still recommend 1Password if you need cloud sync. KeePassX is a good local storage GUI alternative. Or just use Keychain on a Mac.
I meant powerful in terms of the features it offers - for example strong password generation, keyboard shortcut driven UI, browser extensions, fingerprint scanner integration, different storage engines, categories for secure non-password stuff like credit cards, OTP support, shared vaults (over third party storage providers) and even stuff like the icons for each service are useful.
1Password has so many useful features, but the push towards the subscription model feels like Agilebits might phase out all other storage engines eventually, regardless of what the official line is right now. At least maybe they'll branch into Linux support if the subscription model brings in more revenue.
`pass` is a CLI application. It has tab-autocompletion and everything. It doesn't get more efficient than that (tip: use `pass find` to search for entries).
> different storage engines
It's just OpenPGP encrypted plain text on disk, not sure what more you could want, but there is support for Tomb (https://www.dyne.org/software/tomb/) as well. Anything you expose to the filesystem works of course, including services like SFTP.
> shared vaults
Syncthing or git, and the use of multiple OpenPGP recipients. (See `.gpg-id` in the `pass` man-file.)
> categories for secure non-password stuff like credit cards,
It's plain multi-line text. The only convention is that the first line is intended for the password or secret data that clients would copy to the clipboard. You can store whatever text you want.
And because it is open and just files it took me 30 minutes to hack up a Python+dmenu script. Combined with the speed of SSD an entire walk of the tree is <100ms.
The shell interface is good. Especially `pass search`. Simple but effective.
It has gotten quite popular as well (amongst technical folks anyway). It is basically just a giant shell script. You can almost sense the authors frustrating. FINE I will just write a password manager myself. This started a simple 30 line shell script. Then you get into hacking on it. The you figure FINE I will polish it and release it. :)
I changed from Lastpass to Enpass. It has clients for OS X, Windows, Linux iOS and Android
And it can be synced with Dropbox, Onedrive, Box, Google Drive, iCloud or Owncloud/WebDAV
I am not necessarily recommending this, but presenting it as an option. I use a VeraCrypt (nee TrueCrypt) archive with a plaintext file in it. This has advantages (simplicity, security through obscurity) and disadvantages (no auto-form-filling, which is a good protection against phishing[1]). It's worked for me for well over a decade.
I'm using Forgotit?http://www.peppermind.com because I wrote it. However, it's not equivalently powerful - no syncing, no browser integration at all, etc.
It's also not open source so I don't recommend it to anyone but me. :-)
My gmail account is my password manager.
I click on the forgotten password every time I need to log in pretty much everywhere and paste in some random thing I typed in notepad
KeePass or KeePass X. But keep in mind that not having cloud storage also means you have to worry about syncing yourself. And if your solution is to sync the database as an amorphous blob, you can basically kiss multi-user access goodbye.
KeePass 2 has built in synchronization functions.
But I have to admit that I never tried using it because I keep my database stored on a pen drive which I take with me if I know I need my stored passwords.
> KeePass 2.x features a powerful, built-in synchronization mechanism. Changes made in multiple copies of a database file can be merged safely.
> After synchronizing two files A and B, both A and B are up-to-date (i.e. KeePass saves the merged data to both locations when performing a synchronization).
So the issue boils down to, this person wants control over where they put their password vaults? To play devil's advocate: what makes your solution better than one from a company specifically based around security? If you use Dropbox, iCloud, etc., why is it somehow better than their cloud based solution? And if you don't choose the cloud option, what makes your local computer significantly better than their cloud based solution, besides that you have control over it? An argument I buy is that you need it to be local for regulatory reasons, but if that's the case you wouldn't be using 1Password since it's not certified in any of the major ways, like HIPAA (from my understanding).
I do agree that you should get a choice, but I don't think the argument the author is presenting is good enough. I do think that the argument that they're pushing their subscription model very heavily is bad, is true, but I can also buy 1Password's argument that it's technically more difficult to set up, because it does tend to be (I remember having to set up something when I set up 1Password initially, but it's been a while now). I also am not worried because, trusting 1Password's word, they're not removing the option.
I do use 1Password, and I don't particularly care about this change. If I'm trusting a company enough to create an app that is essentially the gatekeeper to my entire digital life, I sure as hell should trust their cloud based solution. I think that 1Password is still the best; beyond their vault design, which I have worked with and trust (and trust the researchers who read and verified the white paper), their UI is still the best for me thanks to its great integration into iPhone and Safari. I am of course not a security researcher, but I don't see the inherit negative here.
> what makes your solution better than one from a company specifically based around security? If you use Dropbox, iCloud, etc., why is it somehow better than their cloud based solution?
I deliberately don't use cloud based storage for my passwords, secrets or other stuff I tend to store in 1Password.
> And if you don't choose the cloud option, what makes your local computer significantly better than their cloud based solution, besides that you have control over it?
It's the difference between a remote and a local vulnerability.
If Agile Bits buggers something up and introduces a bug that means password vaults can be decrypted without the master password (or just leak metadata, whatever) then when stored locally you also need to get access to my local machine.
If you are uploading your data to someone else's computer you now have vulnerable data out of your direct control. You've also created a gigantic target for hackers. There is no compartmentalisation, there's a password piñata up there with a huge target painted on it.
2) 1Password gets aquirhired/goes bankrupt, I lose all my passwords.
3) It easier to be much more confident if my passwords never leave my computer -- sure there could be code in 1Password which secretly makes internet connections for no reason, but people would notice it, however if it is communicating frequently then it is harder to track. it's IMPOSSIBLE to verify the web access, because they can just send different javascript every time you connect.
If some finds a 1Password security problem, but my passwords are only on my computer, then that's not too serious. If some finds a 1Password security problem but my passwords are on Dropbox, then dropbox has to also have a massive security problem. If my passwords are in 1Password cloud and 1Password has a big security hole, game over.
IMO the article includes an important reason as to why their push to their company controlled cloud is horrible.
> While the product is not open source, the storage format is, which is important to avoid vendor lock-in of your data.
I'm a user of 1password. Honestly I've been less and less happy with the product for a while now, I think since they moved to version 6. AgileBits seems to been moving away from the open structure they had and pushes more for vendor locking. Which is bad is any case, but especially with your passwords.
The question is not just whether or not you trust them right now, but do you trust them in a year from now? What about 5 years from now? If so, you're on board with the vendor locking and do not have to worry about it so much.
Personally I will move away from 1password because the trust they gained from their start, has slowly degraded for a while now.
As a customer of 1Password since it started, I now find myself just using Apple's despite it being in iCloud, at least for me since I use Safari everywhere, works perfectly for me. I wind up using 1Password less and less. Apple's isn't perfect either but since my life is tied to them in many ways, it works for me.
If, like me, you are a happy 1Password subscription customer and don't care about this business decision, the one thing I did learn from this article is to avoid the browser client and only use the native clients.
As someone who consciously attempts to replace cyclical costs with fixed costs, I hate the push for X as a service. At the end of my month I want to pay the minimum number of recurring charges possible.
I'm quite happy with local-only 1Password sync via SyncThing and LAN sync to my iOS gizmos. I've been avoiding using 1Password with cloud sync because it would increase the attack surface area for little benefit to me.
On the other hand, I do online backup where the data is encrypted by another passphrase before it leaves my machine. Given that I already have my 1Password file backed up with this method, would I be much worse off if I used AgileBits' cloud service?
SaaS and cloud makes sense financially and for support, but it's clear they have lost their most passionate customers.
The worry for them now must be that they have massively miscalculated the number of new signups they were getting as a result of recommendations from these users that are now feeling burned and won't now recommend them above Lastpass, Dashlane etc.
Long to short, the concept of passwords has overstayed it's welcome. Think about the brief and brisk evolution of the internet...and we're still stuck with the password?
After putting together a webapp and browser extensions I kind of gave up on the idea since I didn't think it's something anyone would actually use... Is anyone interested in an idea like this?
Isn't the whole point of password managers that you can use strong random passwords everywhere because you don't have to remember them? Passwords that you can reconstruct from a hint are probably not very safe.
Definitely one of the first obvious seeming flaws with the idea (part of why I dropped it, it seems to inherently wrong to most) -- but a sufficiently long password (essentially, a "passphrase") with some randomness thrown in is enough (to at least force a brute-forcer to try the whole space, obviously not just dictionary words), when it comes to password strength.
Assuming that's true, the big problem with this approach is how to make sure people use long-enough and sufficiently random passphrases, and I think encouraging hints helps that. If I have a hint like "elementary school cheer w1th 0nes and second crush's name with how you feel" -- I think that's very hard for someone to either brute force, and hard for them to figure out without access to that information (and my own personal inner thoughts), and should be pretty long.
I still think that the safest place for passwords is inside your head (and a close second is a sufficiently physically secure sticky note). If you think I'm wrong please tell me, I'd love to hear why I'm wrong, I'm not a newcomer to the security space but am by no means an expert. Lastpass and Onepass have never been "breached" per say but a pessimistic view would suggest that it's only a matter of time.
A subscription model is in their belief the only way to maintain a sustainable business model that includes growth by providing SaaS with recurring revenue. Old school static licenses with local storage will not provide recurring revenue.
Edit: removed a word