A Motherboard story on 10 July 2017 entitled “Why Security Experts Are Pissed That ‘1Password’ Is Pushing Users to the Cloud” gave the impression that 1Password’s maker, AgileBits, had stopped allowing users to purchase a license that would enable them to store passwords in local databases, which 1Password calls “vaults.” The article says, “several security researchers tweeted that 1Password was moving away from allowing people to pay for a one-time license and have local password vaults.”
Only near the end of the article does the reporter include a statement from AgileBits that local storage remains available now and for the foreseeable future. (AgileBits later confirmed that such local storage will continue into its next release, version 7.) The “moving away” claim in the article is related only to the one-time license fee. That’s right: the article’s headline and thesis are more or less contradicted about two-thirds of the way in.
The one part that’s correct, however, is that the current 1Password 6 for Windows can only read (not write) local storage vaults synced to the computer. Thus, upgrading from the previous version 4 effectively removes a feature. 1Password 4 for Windows remains available for download for subscribers, even though it isn’t compatible with the 1Password.com cloud service.
All other native 1Password apps can read and write local vaults, whether they’re synced via your own cloud-service account at Dropbox or iCloud, within a Wi-Fi network, or using a folder. You can also still use 1Password on a single device with a local-only vault.
I want to pick apart this story, not to criticize Motherboard or the reporter per se, but instead to explain in greater depth for most existing 1Password users why this licensing shift doesn’t force them to put their passwords in the cloud. And, additionally, how AgileBits’s approach to zero-knowledge encryption in the cloud, which is similar to that employed by Apple for iCloud Keychain and LastPass for its system, may be less risky and less exposed in some ways than using Dropbox to sync vaults.
The devil is in the details, though: despite having a robust design, the implementation of AgileBits’ cloud-based system isn’t as fully transparent and audited as many researchers would like.
Anything that deters people from using strong and safe password generation and storage is cause for concern. But, likewise, developers of password management apps must be careful not to change their apps’ behavior without clear and consistent communication, or else users could be led to make decisions that aren’t in their best interests.
Everyone Wants Recurring Revenue -- The rise of the iOS and Mac App Stores has led to problems for developers. Briefly, Apple’s approach to the stores broke three important parts of the software revenue model: easy distribution of demonstration software, fees for software upgrades, and reasonable price points for software. In-app purchases and certain kinds of software bundles help with just some of that.
As a result, some companies have tried to switch their revenue cycles from selling one-time unlimited-use licenses for a given software version to recurring subscription fees that include free updates for all new versions. The sum of these monthly or yearly fees often works out to be the same as or slightly cheaper than the one-time license fee if you were to pay for every upgrade that became available. Subscriptions usually include extra features, too, like cloud-based sync that doesn’t rely on iCloud or Dropbox storage.
After industry giants Adobe (with Creative Cloud) and Microsoft (with Office 365) showed that subscriptions could work, Smile took an early leap among smaller developers by switching to subscription usage for TextExpander 6 (see “TextExpander 6 Adds Teams and Subscription Billing,” 6 April 2016). The move led to an outcry from users, and the company retreated slightly, reducing pricing for individuals and keeping TextExpander 5 on the market as a standalone product (see “Smile Brings Back Standalone TextExpander, Reduces Subscription Price ,” 13 April 2016). Michael Cohen looked into Smile’s move a year later in April 2017 and found that the situation had mostly calmed down (see “TextExpander by Subscription One Year Later,” 5 April 2017).
AgileBits started offering a cloud-based option for its software just under a year ago and required a subscription to use it (see “1Password Introduces Individual Subscriptions,” 4 August 2016). This approach broadened to include business-style teams with shared vaults, and then family plans, also with sharing. The subscription included access to all 1Password native software, including the premium in-app upgrade features in 1Password for iOS, which was otherwise free to use.
A few months ago, the company shifted to offer only subscription-based access to 1Password. But you could still contact AgileBits to purchase a standalone license. The company maintains that most 1Password.com users get better features, prices, and security from the subscription version, and the founder reiterates that in the blog post noted earlier. It’s certainly a reasonable choice for the company because it eliminates the possibility of data loss experienced by users who don’t otherwise sync and lack backups, among other issues. But does it make sense for users?
Security researcher Kenn White raises a concern in a detailed article about his reaction to AgileBits’s shift. He worries that the way in which a user starts fresh with 1Password (the so-called “onboarding process”) pushes people into storing their data at 1Password.com, rather than explaining the difference between local-only, local-and-synced, and cloud-based vaults. His criticism is valid: AgileBits could improve upon its explanations, even if it still concludes that the cloud is best for most people, most of the time.
The key point for most current 1Password users, however, is that nothing has changed for macOS and iOS users. All the features you had remain, whether you continue to use a standalone license or subscribe. You aren’t required or pushed to use 1Password.com. The trouble is with the Windows version of 1Password.
Local Vaults Haven’t Gone Away -- I exchanged email with Jeffrey Goldberg, AgileBits’s “Chief Defender Against the Dark Arts” — its security head. He agreed that the company’s explanation of how this all works could be clearer. The confusion stems in part from different behavior toward local vaults on each platform the company supports:
The macOS and iOS versions of 1Password offer full support for local vaults, and you can use those releases and sync among them without ever touching 1Password.com. If you already own a standalone-licensed copy and start paying for a subscription, you don’t lose any features.
The Android version can read and write vaults that have been synced via Dropbox, but it can’t create vaults compatible with that method.
The Windows version treats as read-only local vaults of any kind, including those synced via Dropbox. It can only create and modify entries at 1Password.com.
Mac and iOS users were likely unaware of this Windows limitation, but it was the fundamental fact that prompted the Motherboard story.
I was told that AgileBits had intended to provide full local and synced vault support in Windows, but its Windows engineering team apparently found itself unable to do so. As a result, the company is neither promising it will provide that feature nor ruling out future support. On 13 July 2017, however, the company’s founder confirmed that clients that currently handle local vaults will continue to do so in version 7, at whatever future date it appears.
Security experts have also asked questions about what might happen if you stopped paying your 1Password.com subscription fee, or if AgileBits went out of business. Would you still be able to access your local vaults?
Goldberg wrote, “The answer to that question is that yes, they will continue to have access (if they have been using a native client), but it isn’t an unqualified ‘yes.’”
The reason is that some people may use 1Password.com exclusively online, in which case passwords stored there wouldn’t be synced to any local end point. Goldberg said that AgileBits is working to make that “yes” fully unqualified so there would be no case in which someone could lose access to their data.
Dropbox Sync Has Its Own Downsides -- I also need to call out a difference between Dropbox sync (and iCloud sync for Apple users) and 1Password.com sync.
Whenever data leaves your computer and is stored on servers outside your control, you’re introducing some risk that undesirable parties could gain access. For that reason, some people sync data only between servers and devices they own. 1Password in macOS and iOS (and Android) can sync locally over Wi-Fi, and the macOS version can sync via a shared folder.
Once you introduce Dropbox or iCloud into the syncing equation, however, your secure vault is being stored somewhere where data is only encrypted in transit and at rest, and only using encryption keys held by the cloud service. In other words, the cloud service has to be able to decrypt your data to send it back and forth to you, even when it uses an encrypted transit mechanism (typically TLS, the same used on the Web for secure connections).
To protect your passwords whenever the vault file is outside your control, 1Password encrypts that file using a set of “expensive” encryption choices, which means that a brute-force attacker can’t cycle through billions of passwords per second to test which might work. Stealing data from Dropbox or iCloud, sniffing the data in transit, or even compromising a Dropbox or Apple employee won’t be enough to discover your passwords. The attacker must know your password, guess it, or find a way to get you to reveal it through social engineering.
1Password.com employs a different method, treating each username/password entry as a separate item that can be synced back and forth. Not included are a long code unique to your account and your master password. That’s important: AgileBits can’t decrypt your information stored at 1Password.com because it doesn’t have access to any of your passwords, your account code, or encryption keys. In other words, 1Password.com is effectively just a dumb conduit that connects end points. That’s true even when you log into 1Password on the Web, where the encryption is handled entirely in the browser, including receiving encrypted entries and then decrypting them locally.
AgileBits also uses TLS to transmit that strongly encrypted data and wraps another layer of transit encryption around it using a session key that both sides of the connection derive separately rather than transmitting, so it can’t be intercepted.
All these 1Password.com protections together provide a significant level of defense against attack, though they are of course only as good as AgileBits’ implementation of the security model. Some security researchers want more disclosure of how AgileBits has built its system along with outside, independent audits.
There’s one significant way in which syncing via Dropbox or iCloud has an advantage over 1Password.com syncing: in the latter case, you have to trust AgileBits to do what it says it will. When 1Password native apps use local vaults and sync via Dropbox or iCloud, your password never touches AgileBits’ login Web page. Because 1Password itself is freestanding, security researchers can test (and have tested) it in ways that aren’t possible with 1Password.com.
AgileBits says that your password never leaves your browser, and while trusting the company is reasonable, Thomas H. Ptáček noted to me via Twitter that the point is to not have to trust them. “I’m 100% behind 1Password on monthly subscriptions, so long as users I help never have to enter passwords on 1Password.com,” he tweeted. But because using 1Password.com requires entering the master password for your cloud-sync vault on a Web page, even if AgileBits says it’s never transmitted, Ptáček finds the entire system problematic. However, he notes, “I am very confident they will figure this out, by the way, and that I’ll be able to recommend 1Password in the near future.”
No Changes for Existing Users, but Confusion for New Users -- AgileBits doesn’t make it easy for new users to choose between local and cloud-based vaults. The company has effectively picked a route that it thinks is best and is directing new users down that path. Kenn White’s discussion goes into some depth about whether or not those choices are correct.
From my experience, the more people are encouraged to use robust security the better, and AgileBits’ cloud approach, assuming it’s well implemented, is an entirely reasonable way to preserve user security and privacy while maintaining ease of access and the option to sync data locally.
If you use 1Password on any platform except Windows now, you won’t notice a change if you switch to a subscription, because your current ability to use 1Password entirely locally remains in place. That’s good, and this fact is one of the reasons that security researchers have long recommended 1Password.
And although it requires some effort, new users can sign up and configure any version of 1Password other than the Windows app to sync via Wi-Fi or a folder, sync via Dropbox or iCloud, or sync and access via 1Password.com. Or, if you don’t need to move data between devices, you can avoid syncing entirely. AgileBits should do a better job of communicating this fact to new users during the onboarding process.
The Motherboard article’s criticisms may have been overly broad and overstated, but they weren’t entirely inaccurate, given the limitations of 1Password 6 for Windows. Nonetheless, by conflating the Windows version with 1Password for macOS, iOS, and Android, the article generated confusion and feelings of betrayal. That’s bad journalism that may attract eyeballs, but unnecessarily undermines trust in a popular and useful piece of security software.