1Password irks security experts in push toward cloud-based vaults

Posted:
in General Discussion edited July 2017
Over the weekend, a number of security researchers recently took to Twitter to voice their displeasure at AgileBits' decision to push its popular password management service 1Password away from local credential storage to a cloud-based option.




While the company has no immediate plans to remove local vault storage, security researchers noted 1Password is quietly shifting to a subscription-only model that stores passwords on remote servers, reports Motherboard.

As part of the shift, 1Password is pushing customers to monthly subscription plans that serve up remotely stored password vaults through 1Password.com. Previously, the app and corresponding service was sold via a one-time license, which allowed users to generate and store passwords in an encrypted local vault.

Security researchers previously recommended 1Password because of its local storage feature, which some believe is more secure than keeping data in the cloud.

With local storage, nefarious actors looking to gain access to saved passwords would have to break into a specific device. Cloud storage alternatives, like 1Password.com, leave personal passwords vulnerable to attacks against the service itself, researchers argue.

Storing passwords remotely offers a number of advantages, however, including immediate access from any internet-connected device. Further, users who lose or have their smartphone or computer stolen don't need to worry about resetting locally stored credentials.

"We want our customers to get the best. Some people won't agree with that (which is fine!) so we'll work with them to get set up how they want, but for 99.9 percent of people, 1Password.com is absolutely the way to go," said 1Password engineer Connor Hicks.

Hicks said AgileBits will not "remove support for local/Dropbox/iCloud vaults from the software" in the immediate future. If a customer feels a one-time license is in their best interest, they can contact AgileBits via email and the company will "help them determine if a license is really what's best for them," Hicks said.
«134

Comments

  • Reply 1 of 63
    asterionasterion Posts: 112member
    ...the company will "help them determine if a license is really what's best for them," Hicks said.

    So that's going to be completely impartial advice... Right!
    edited July 2017 dws-2MetriacanthosaurusjahbladetoysandmenetmageGeorgeBMaclostkiwisuperkloton
  • Reply 2 of 63
    macxpressmacxpress Posts: 5,796member
    I would like to keep my own vault in my own place thank you very much. I don't want to be forced to use something just so they can make an extra buck off me and I don't want the RENT my software, especially considering I've already purchased this. I think this is more of a reoccurring revenue thing than a "this is what's best for the customer" thing. That is said just to cover their ass for this stupid continuous subscription based software thing every software company seems to love to do. Works out for the company as they get continuous revenue, but it sucks for the customer.

    I really love this app and what it does...but the model they're trying to force customers to switch over to sucks and they could start losing customers (like me).
    edited July 2017 mwhitetoysandmerobin huberMetriacanthosaurusjcallowsjahbladenetmagepscooter63kruegdudelostkiwi
  • Reply 3 of 63
    SoliSoli Posts: 10,035member
    I'm not going to use their cloud-based vault, but this is effectively no different than what we all do with iCloud or Dropbox for storing copious amounts of data that is all maintained by "one password." Hell, even my 1Password vault is now synced to iCloud and previously through Dropbox, which is all they're doing since each account has a unique key.
  • Reply 4 of 63
    anomeanome Posts: 1,531member

    I like 1Password. It's been a great help in managing my accounts and passwords, but if they force me to use their cloud storage for my vault, as opposed to letting me store it locally, or use a different cloud service, and pay a subscription for the privilege, then I'm not going to be happy.

    I've paid for 1Password, and I've paid for upgrades to new versions when necessary. Local vault storage makes it worth paying for. I can't see any advantage to using Agile Bits storage over my own.

    emoellerwelshdoglostkiwisuperkloton
  • Reply 5 of 63
    cpsrocpsro Posts: 3,189member
    AgileBits needs to add support for Resilio (nee Bittorrent) Sync stat, so users can have the best of both worlds: immediate access across all synced devices and locally controlled storage. And, yes, AgileBits' subscription model sucks.
    toysandmelostkiwisuperkloton
  • Reply 6 of 63
    SoliSoli Posts: 10,035member
    cpsro said:
    AgileBits needs to add support for Resilio (nee Bittorrent) Sync stat, so users can have the best of both worlds: immediate access across all synced devices and locally controlled storage. And, yes, AgileBits' subscription model sucks.
    I don't understand why you need 1Password for Resilio. Can't you just sync to the folder/file your vault is stored and have it be copied to another device?
  • Reply 7 of 63
    dws-2dws-2 Posts: 276member
    I like this company. It used to be the only software I would consider.

    However, not allowing local-only copies of passwords means that when (if?) someone breaks into 1Password's servers, people are going to have the potential to have all their passwords stolen. The password vaults will almost definitely be heavily encrypted, but the potential for widespread harm is huge, and once high value things like all people's passwords are online all in one place, the motivation to hack into it is going to be extremely high. I'm not saying it's going to happen, but I am saying that my level of trust would be much lower.

    netmageGeorgeBMac
  • Reply 8 of 63
    toysandmetoysandme Posts: 243member
    It's time to start one-star reviews on the App Store 

  • Reply 9 of 63
    I have been using LastPass and it was a cloud based solution from the very beginning. I was hesitant at first, but having access to your password vault from every device you own is very convenient. LastPass app also uses 2FA and TouchID for added security.
    chabigtransmaster
  • Reply 10 of 63
    cpsrocpsro Posts: 3,189member
    Soli said:
    cpsro said:
    AgileBits needs to add support for Resilio (nee Bittorrent) Sync stat, so users can have the best of both worlds: immediate access across all synced devices and locally controlled storage. And, yes, AgileBits' subscription model sucks.
    I don't understand why you need 1Password for Resilio. Can't you just sync to the folder/file your vault is stored and have it be copied to another device?
    That's fine for Mac/Win/Linux users. But that doesn't help with access on iOS devices, where the data would be synced and accessible within the Resilio Sync app, but it would also be encrypted/unusable without AgileBits adding support for Sync access.
    netmage
  • Reply 11 of 63
    SoliSoli Posts: 10,035member
    cpsro said:
    Soli said:
    cpsro said:
    AgileBits needs to add support for Resilio (nee Bittorrent) Sync stat, so users can have the best of both worlds: immediate access across all synced devices and locally controlled storage. And, yes, AgileBits' subscription model sucks.
    I don't understand why you need 1Password for Resilio. Can't you just sync to the folder/file your vault is stored and have it be copied to another device?
    That's fine for Mac/Win/Linux users. But that doesn't help with access on iOS devices, where the data would be synced and accessible within the Resilio Sync app, but it would also be encrypted/unusable without AgileBits adding support for Sync access.
    Wouldn't a bit torrent app on App Store violate Apple's rules?
  • Reply 12 of 63
    cgWerkscgWerks Posts: 2,952member
    While it's my understanding that they've gone to great extents to make their cloud service extra-secure... I'd still rather store the files locally and manage where they get stored and how they are backed up and archived.

    I've tried 1Password a number of times (I've owned a few versions I got in bundles), but I keep sticking with PasswordWallet by Selznick. I've been using it since palm pilot days and it works on every platform. And ***I*** manage how and were the data file exists.

    That's a pretty key feature for me, though I understand that 1Password's solution makes it much easier to use for families and groups. I've done that with PasswordWallet as well, but it requires more technical knowledge and probably isn't as bulletproof in terms of something going wrong with my sync and such. That said, I keep regular dated archives, so if something does go wrong, I can manually fix it.
  • Reply 13 of 63
    rob55rob55 Posts: 1,291member
    Sounds like a complaint email to "Your friend to the north, Dave Teare" might be in order.
  • Reply 14 of 63
    jb510jb510 Posts: 129member
    AgileBits has been openly hostile to their most passionate user base of years so this is no surprise.  They still have the best product, but every change they ever made has been driven by maximizing sales and profit over giving users what they want.   

    Look in there forums and it's just ends feature requests get told "will consider that.... for the next millimum while pretending we care.  

    I still ill use it, but if I ever have to switch to their public cloud I'll bail. 
    superkloton
  • Reply 15 of 63
    SoliSoli Posts: 10,035member
    jb510 said:
    …every change they ever made has been driven by maximizing sales and profit over giving users what they want.
    If the end of your sentence were true then they can't be focusing on maximizing sales and profits. What you mean to say is that they're no long operating the way you want them to operate. Not doing what you want isn't being hostile toward you.

    Personally, I prefer that I paid upwards of $58(?) to buy the app licenses out right for macOS, Windows, and iOS, and I prefer not to pay a monthly fee because I know exactly what I want and how I want to use it, but it's not my fucking company and they're clearly appealing to a more average consumer who would rather get a limited app for free to try it out and then pay a small stipend for a month to see if the features are worth it.
    edited July 2017 netmagesuperkloton
  • Reply 16 of 63
    stukestuke Posts: 122member
    Well, don't switch to mSecure.  They too have recently screwed their customers of the past four years with ONLY being able to sync across devices by opening an account with them and storing your material ONLY on their server.  They removed WiFi, iCloud, and DropBox sync options, and gave us a "teenager selfie" GUI to boot.  At least it's not subscriptionware...yet. 

    I don't know what it is but software companies are making changes without listening to their loyal customers.  It's a shame, loyalty is a lost attribute in human relations..
    netmagelostkiwisuperkloton
  • Reply 17 of 63
    Soli said:
    I'm not going to use their cloud-based vault, but this is effectively no different than what we all do with iCloud or Dropbox for storing copious amounts of data that is all maintained by "one password." Hell, even my 1Password vault is now synced to iCloud and previously through Dropbox, which is all they're doing since each account has a unique key.
    It's not the same thing as agilebits servers become large honeypot for hackers. A single compromise means they could have access to everybody's 1Password vaults and keys. By being able to access your vault via the web, it necessitates key storage by agilebits.

    When a user stores in iCloud/ dropbox their decryption keys aren't stored there. 
    fornadanmike eggleston
  • Reply 18 of 63
    theotherphil said:
    By being able to access your vault via the web, it necessitates key storage by agilebits.
    Actually, that is not true. Agilebits has a security discussion with a link to their white paper at https://1password.com/security/ .  They have a scheme which allows them to offer web access and syncing without agilebits having the ability to decrypt your data. 
    prairiewalkernetmagecgWerksjohnmcboston
  • Reply 19 of 63
    SoliSoli Posts: 10,035member
    Soli said:
    I'm not going to use their cloud-based vault, but this is effectively no different than what we all do with iCloud or Dropbox for storing copious amounts of data that is all maintained by "one password." Hell, even my 1Password vault is now synced to iCloud and previously through Dropbox, which is all they're doing since each account has a unique key.
    It's not the same thing as agilebits servers become large honeypot for hackers. A single compromise means they could have access to everybody's 1Password vaults and keys. By being able to access your vault via the web, it necessitates key storage by agilebits.

    When a user stores in iCloud/ dropbox their decryption keys aren't stored there. 
    How is that not different than a hacker getting access to iCloud, Dropbox, or any other major server with millions of accounts? You do not understand that getting access to 1Password's servers does not mean they have access to any single user account vault because 1Password doesn't keep keys to anyone's vault? It's no different than syncing your 1Password vault through Dropbox and Dropbox being hacked. Even if your account is compromised your vault is still protected by its own encryption and would require its password to be unlocked, which is why one should use a very long and secure pass-phrase for their vault. 
    edited July 2017 prairiewalkerSpamSandwichbshankfastasleepcgWerks
  • Reply 20 of 63
    I'm using Dashlane...but am thinking of switching to Apple's application, Keychains. May do it, at the intro of High Sierra. 

Sign In or Register to comment.