1Password irks security experts in push toward cloud-based vaults
Over the weekend, a number of security researchers recently took to Twitter to voice their displeasure at AgileBits' decision to push its popular password management service 1Password away from local credential storage to a cloud-based option.
While the company has no immediate plans to remove local vault storage, security researchers noted 1Password is quietly shifting to a subscription-only model that stores passwords on remote servers, reports Motherboard.
As part of the shift, 1Password is pushing customers to monthly subscription plans that serve up remotely stored password vaults through 1Password.com. Previously, the app and corresponding service was sold via a one-time license, which allowed users to generate and store passwords in an encrypted local vault.
Security researchers previously recommended 1Password because of its local storage feature, which some believe is more secure than keeping data in the cloud.
With local storage, nefarious actors looking to gain access to saved passwords would have to break into a specific device. Cloud storage alternatives, like 1Password.com, leave personal passwords vulnerable to attacks against the service itself, researchers argue.
Storing passwords remotely offers a number of advantages, however, including immediate access from any internet-connected device. Further, users who lose or have their smartphone or computer stolen don't need to worry about resetting locally stored credentials.
"We want our customers to get the best. Some people won't agree with that (which is fine!) so we'll work with them to get set up how they want, but for 99.9 percent of people, 1Password.com is absolutely the way to go," said 1Password engineer Connor Hicks.
Hicks said AgileBits will not "remove support for local/Dropbox/iCloud vaults from the software" in the immediate future. If a customer feels a one-time license is in their best interest, they can contact AgileBits via email and the company will "help them determine if a license is really what's best for them," Hicks said.
While the company has no immediate plans to remove local vault storage, security researchers noted 1Password is quietly shifting to a subscription-only model that stores passwords on remote servers, reports Motherboard.
As part of the shift, 1Password is pushing customers to monthly subscription plans that serve up remotely stored password vaults through 1Password.com. Previously, the app and corresponding service was sold via a one-time license, which allowed users to generate and store passwords in an encrypted local vault.
Security researchers previously recommended 1Password because of its local storage feature, which some believe is more secure than keeping data in the cloud.
With local storage, nefarious actors looking to gain access to saved passwords would have to break into a specific device. Cloud storage alternatives, like 1Password.com, leave personal passwords vulnerable to attacks against the service itself, researchers argue.
Storing passwords remotely offers a number of advantages, however, including immediate access from any internet-connected device. Further, users who lose or have their smartphone or computer stolen don't need to worry about resetting locally stored credentials.
"We want our customers to get the best. Some people won't agree with that (which is fine!) so we'll work with them to get set up how they want, but for 99.9 percent of people, 1Password.com is absolutely the way to go," said 1Password engineer Connor Hicks.
Hicks said AgileBits will not "remove support for local/Dropbox/iCloud vaults from the software" in the immediate future. If a customer feels a one-time license is in their best interest, they can contact AgileBits via email and the company will "help them determine if a license is really what's best for them," Hicks said.
Comments
So that's going to be completely impartial advice... Right!
I really love this app and what it does...but the model they're trying to force customers to switch over to sucks and they could start losing customers (like me).
I like 1Password. It's been a great help in managing my accounts and passwords, but if they force me to use their cloud storage for my vault, as opposed to letting me store it locally, or use a different cloud service, and pay a subscription for the privilege, then I'm not going to be happy.
I've paid for 1Password, and I've paid for upgrades to new versions when necessary. Local vault storage makes it worth paying for. I can't see any advantage to using Agile Bits storage over my own.
However, not allowing local-only copies of passwords means that when (if?) someone breaks into 1Password's servers, people are going to have the potential to have all their passwords stolen. The password vaults will almost definitely be heavily encrypted, but the potential for widespread harm is huge, and once high value things like all people's passwords are online all in one place, the motivation to hack into it is going to be extremely high. I'm not saying it's going to happen, but I am saying that my level of trust would be much lower.
I've tried 1Password a number of times (I've owned a few versions I got in bundles), but I keep sticking with PasswordWallet by Selznick. I've been using it since palm pilot days and it works on every platform. And ***I*** manage how and were the data file exists.
That's a pretty key feature for me, though I understand that 1Password's solution makes it much easier to use for families and groups. I've done that with PasswordWallet as well, but it requires more technical knowledge and probably isn't as bulletproof in terms of something going wrong with my sync and such. That said, I keep regular dated archives, so if something does go wrong, I can manually fix it.
Look in there forums and it's just ends feature requests get told "will consider that.... for the next millimum while pretending we care.
I still ill use it, but if I ever have to switch to their public cloud I'll bail.
Personally, I prefer that I paid upwards of $58(?) to buy the app licenses out right for macOS, Windows, and iOS, and I prefer not to pay a monthly fee because I know exactly what I want and how I want to use it, but it's not my fucking company and they're clearly appealing to a more average consumer who would rather get a limited app for free to try it out and then pay a small stipend for a month to see if the features are worth it.
I don't know what it is but software companies are making changes without listening to their loyal customers. It's a shame, loyalty is a lost attribute in human relations..
When a user stores in iCloud/ dropbox their decryption keys aren't stored there.