AgileBits Isn’t Forcing 1Password Data to Live in the Cloud
A Motherboard story on 10 July 2017 entitled “Why Security Experts Are Pissed That ‘1Password’ Is Pushing Users to the Cloud” gave the impression that 1Password’s maker, AgileBits, had stopped allowing users to purchase a license that would enable them to store passwords in local databases, which 1Password calls “vaults.” The article says, “several security researchers tweeted that 1Password was moving away from allowing people to pay for a one-time license and have local password vaults.”
Only near the end of the article does the reporter include a statement from AgileBits that local storage remains available now and for the foreseeable future. (AgileBits later confirmed that such local storage will continue into its next release, version 7.) The “moving away” claim in the article is related only to the one-time license fee. That’s right: the article’s headline and thesis are more or less contradicted about two-thirds of the way in.
The one part that’s correct, however, is that the current 1Password 6 for Windows can only read (not write) local storage vaults synced to the computer. Thus, upgrading from the previous version 4 effectively removes a feature. 1Password 4 for Windows remains available for download for subscribers, even though it isn’t compatible with the 1Password.com cloud service.
All other native 1Password apps can read and write local vaults, whether they’re synced via your own cloud-service account at Dropbox or iCloud, within a Wi-Fi network, or using a folder. You can also still use 1Password on a single device with a local-only vault.
I want to pick apart this story, not to criticize Motherboard or the reporter per se, but instead to explain in greater depth for most existing 1Password users why this licensing shift doesn’t force them to put their passwords in the cloud. And, additionally, how AgileBits’s approach to zero-knowledge encryption in the cloud, which is similar to that employed by Apple for iCloud Keychain and LastPass for its system, may be less risky and less exposed in some ways than using Dropbox to sync vaults.
The devil is in the details, though: despite having a robust design, the implementation of AgileBits’ cloud-based system isn’t as fully transparent and audited as many researchers would like.
Anything that deters people from using strong and safe password generation and storage is cause for concern. But, likewise, developers of password management apps must be careful not to change their apps’ behavior without clear and consistent communication, or else users could be led to make decisions that aren’t in their best interests.
Everyone Wants Recurring Revenue — The rise of the iOS and Mac App Stores has led to problems for developers. Briefly, Apple’s approach to the stores broke three important parts of the software revenue model: easy distribution of demonstration software, fees for software upgrades, and reasonable price points for software. In-app purchases and certain kinds of software bundles help with just some of that.
As a result, some companies have tried to switch their revenue cycles from selling one-time unlimited-use licenses for a given software version to recurring subscription fees that include free updates for all new versions. The sum of these monthly or yearly fees often works out to be the same as or slightly cheaper than the one-time license fee if you were to pay for every upgrade that became available. Subscriptions usually include extra features, too, like cloud-based sync that doesn’t rely on iCloud or Dropbox storage.
After industry giants Adobe (with Creative Cloud) and Microsoft (with Office 365) showed that subscriptions could work, Smile took an early leap among smaller developers by switching to subscription usage for TextExpander 6 (see “TextExpander 6 Adds Teams and Subscription Billing,” 6 April 2016). The move led to an outcry from users, and the company retreated slightly, reducing pricing for individuals and keeping TextExpander 5 on the market as a standalone product (see “Smile Brings Back Standalone TextExpander, Reduces Subscription Price ,” 13 April 2016). Michael Cohen looked into Smile’s move a year later in April 2017 and found
that the situation had mostly calmed down (see “TextExpander by Subscription One Year Later,” 5 April 2017).
AgileBits started offering a cloud-based option for its software just under a year ago and required a subscription to use it (see “1Password Introduces Individual Subscriptions,” 4 August 2016). This approach broadened to include business-style teams with shared vaults, and then family plans, also with sharing. The subscription included access to all 1Password native software, including the premium in-app upgrade features in 1Password for iOS, which was otherwise free to use.
A few months ago, the company shifted to offer only subscription-based access to 1Password. But you could still contact AgileBits to purchase a standalone license. The company maintains that most 1Password.com users get better features, prices, and security from the subscription version, and the founder reiterates that in the blog post noted earlier. It’s certainly a reasonable choice for the company because it eliminates the possibility of data loss experienced by users who don’t otherwise sync and lack backups, among other issues. But does it make sense for users?
Security researcher Kenn White raises a concern in a detailed article about his reaction to AgileBits’s shift. He worries that the way in which a user starts fresh with 1Password (the so-called “onboarding process”) pushes people into storing their data at 1Password.com, rather than explaining the difference between local-only, local-and-synced, and cloud-based vaults. His criticism is valid: AgileBits could improve upon its explanations, even if it still concludes that the cloud is best for most people, most of the time.
The key point for most current 1Password users, however, is that nothing has changed for macOS and iOS users. All the features you had remain, whether you continue to use a standalone license or subscribe. You aren’t required or pushed to use 1Password.com. The trouble is with the Windows version of 1Password.
Local Vaults Haven’t Gone Away — I exchanged email with Jeffrey Goldberg, AgileBits’s “Chief Defender Against the Dark Arts” — its security head. He agreed that the company’s explanation of how this all works could be clearer. The confusion stems in part from different behavior toward local vaults on each platform the company supports:
- The macOS and iOS versions of 1Password offer full support for local vaults, and you can use those releases and sync among them without ever touching 1Password.com. If you already own a standalone-licensed copy and start paying for a subscription, you don’t lose any features.
- The Android version can read and write vaults that have been synced via Dropbox, but it can’t create vaults compatible with that method.
The Windows version treats as read-only local vaults of any kind, including those synced via Dropbox. It can only create and modify entries at 1Password.com.
Mac and iOS users were likely unaware of this Windows limitation, but it was the fundamental fact that prompted the Motherboard story.
I was told that AgileBits had intended to provide full local and synced vault support in Windows, but its Windows engineering team apparently found itself unable to do so. As a result, the company is neither promising it will provide that feature nor ruling out future support. On 13 July 2017, however, the company’s founder confirmed that clients that currently handle local vaults will continue to do so in version 7, at whatever future date it appears.
Security experts have also asked questions about what might happen if you stopped paying your 1Password.com subscription fee, or if AgileBits went out of business. Would you still be able to access your local vaults?
Goldberg wrote, “The answer to that question is that yes, they will continue to have access (if they have been using a native client), but it isn’t an unqualified ‘yes.’”
The reason is that some people may use 1Password.com exclusively online, in which case passwords stored there wouldn’t be synced to any local end point. Goldberg said that AgileBits is working to make that “yes” fully unqualified so there would be no case in which someone could lose access to their data.
Dropbox Sync Has Its Own Downsides — I also need to call out a difference between Dropbox sync (and iCloud sync for Apple users) and 1Password.com sync.
Whenever data leaves your computer and is stored on servers outside your control, you’re introducing some risk that undesirable parties could gain access. For that reason, some people sync data only between servers and devices they own. 1Password in macOS and iOS (and Android) can sync locally over Wi-Fi, and the macOS version can sync via a shared folder.
Once you introduce Dropbox or iCloud into the syncing equation, however, your secure vault is being stored somewhere where data is only encrypted in transit and at rest, and only using encryption keys held by the cloud service. In other words, the cloud service has to be able to decrypt your data to send it back and forth to you, even when it uses an encrypted transit mechanism (typically TLS, the same used on the Web for secure connections).
To protect your passwords whenever the vault file is outside your control, 1Password encrypts that file using a set of “expensive” encryption choices, which means that a brute-force attacker can’t cycle through billions of passwords per second to test which might work. Stealing data from Dropbox or iCloud, sniffing the data in transit, or even compromising a Dropbox or Apple employee won’t be enough to discover your passwords. The attacker must know your password, guess it, or find a way to get you to reveal it through social engineering.
1Password.com employs a different method, treating each username/password entry as a separate item that can be synced back and forth. Not included are a long code unique to your account and your master password. That’s important: AgileBits can’t decrypt your information stored at 1Password.com because it doesn’t have access to any of your passwords, your account code, or encryption keys. In other words, 1Password.com is effectively just a dumb conduit that connects end points. That’s true even when you log into 1Password on the Web, where the encryption is handled entirely in the browser, including receiving encrypted entries and then decrypting them locally.
AgileBits also uses TLS to transmit that strongly encrypted data and wraps another layer of transit encryption around it using a session key that both sides of the connection derive separately rather than transmitting, so it can’t be intercepted.
All these 1Password.com protections together provide a significant level of defense against attack, though they are of course only as good as AgileBits’ implementation of the security model. Some security researchers want more disclosure of how AgileBits has built its system along with outside, independent audits.
There’s one significant way in which syncing via Dropbox or iCloud has an advantage over 1Password.com syncing: in the latter case, you have to trust AgileBits to do what it says it will. When 1Password native apps use local vaults and sync via Dropbox or iCloud, your password never touches AgileBits’ login Web page. Because 1Password itself is freestanding, security researchers can test (and have tested) it in ways that aren’t possible with 1Password.com.
AgileBits says that your password never leaves your browser, and while trusting the company is reasonable, Thomas H. Ptáček noted to me via Twitter that the point is to not have to trust them. “I’m 100% behind 1Password on monthly subscriptions, so long as users I help never have to enter passwords on 1Password.com,” he tweeted. But because using 1Password.com requires entering the master password for your cloud-sync vault on a Web page, even if AgileBits says it’s never transmitted, Ptáček finds the entire system problematic. However, he notes, “I am very confident they will figure this out, by the way, and that I’ll be able to recommend 1Password in the near future.”
No Changes for Existing Users, but Confusion for New Users — AgileBits doesn’t make it easy for new users to choose between local and cloud-based vaults. The company has effectively picked a route that it thinks is best and is directing new users down that path. Kenn White’s discussion goes into some depth about whether or not those choices are correct.
From my experience, the more people are encouraged to use robust security the better, and AgileBits’ cloud approach, assuming it’s well implemented, is an entirely reasonable way to preserve user security and privacy while maintaining ease of access and the option to sync data locally.
If you use 1Password on any platform except Windows now, you won’t notice a change if you switch to a subscription, because your current ability to use 1Password entirely locally remains in place. That’s good, and this fact is one of the reasons that security researchers have long recommended 1Password.
And although it requires some effort, new users can sign up and configure any version of 1Password other than the Windows app to sync via Wi-Fi or a folder, sync via Dropbox or iCloud, or sync and access via 1Password.com. Or, if you don’t need to move data between devices, you can avoid syncing entirely. AgileBits should do a better job of communicating this fact to new users during the onboarding process.
The Motherboard article’s criticisms may have been overly broad and overstated, but they weren’t entirely inaccurate, given the limitations of 1Password 6 for Windows. Nonetheless, by conflating the Windows version with 1Password for macOS, iOS, and Android, the article generated confusion and feelings of betrayal. That’s bad journalism that may attract eyeballs, but unnecessarily undermines trust in a popular and useful piece of security software.
Frustratingly, Agile Bits are intentionally misleading in their communication to create the impression that local vaults are still universally supported when that is simply no longer true.
Not only are local vaults no longer supported in the current Windows version, there are currently no plans to bring that feature back.
They could absolutely be clearer, but it’s also unclear whether they will bring it back. As Kenn White’s post notes (linked in the article), they’ve provided mixed messages.
"I was told that AgileBits had intended to provide full local and synced vault support in Windows, but its Windows engineering team apparently found itself unable to do so."
It sounds to me like Windows client support was already behind other clients. One-time license holders may keep using v4 on Windows (which is still downloadable) but maybe new customers on Windows can only use v4 if they're a subscriber?
Glenn -- Thanks for tagging bad journalism, also known as Fake News.
Ignoring the click baiting original article -- you said "And although it requires some effort, new users can sign up and configure any version of 1Password other than the Windows app to sync via Wi-Fi or a folder, sync via Dropbox or iCloud, or sync and access via 1Password.com. Or, if syncing isn’t necessary, it’s possible to avoid syncing entirely. AgileBits should do a better job of communicating this fact to new users during the onboarding process."
Your comments are right on target.
I switched to 1Password several years ago. Imagine my surprise when AgileBit started hiding the non-subscription license. It took a while to find the truth. And I am considered to be reasonable competent.
Many of us do NOT want yet another cloud subscription, for reasons of money, security, and/or, security. I'm keeping 1Password and continuing dialogs with the developers, but will resist YACS (Yet Another Cloud Subscription). AgileBits (and other software vendors) should make this easier.
"Many of us do NOT want yet another cloud subscription, for reasons of money, security, and/or, security."
Completely agree. I've bought 1Password for iPhone twice now. While I don't expect them to keep updating & supporting the app over major OS changes, I don't want to subscribe. Partly because I don't use the sync features. Partly because I don't want to look at my CC statement every month and wonder if I really need 1P.
Apart from the security concerns, I wonder about the reliability of the syncing. iCloud and Dropbox have gotten pretty reliable for things like this. When DayOne switched to running their own sync service, sync got slower, and it doesn't always work. For a journal that's OK. For a password repository I need a bit more reliability. Local vaults that sync give me that.
I resisted the subscription model, but decided its such a critical part of my security process that it was worth it. For me, syncing has been nearly flawless. I still have to sort out how to manage things so I don't have two separate entries for so many items (shared vs personal vaults.)
I had major issues with TextExpander going Subscription until they lowered the price for long-time users to a reasonable amount. I realized I pay more for a cup of coffee per month, so I have that one.
Thank you for this article, which clarified some of the 1Password confusions I have been having.
I bought a standalone Windows license a year or two ago, and sync to 3 Windows computers and 3 IOS devices via Dropbox.
Recently, I needed to begin using 1Password on a couple of Macs as well. I was surprised to learn that I could subscribe but no longer purchase a license, and that by default I had to sync to a web store.
If you're not careful about how you approach multi-platform deployments, you easily can end up with two or more canonical vaults in different places, not sync'd with one another.
1Password v4 for Windows does sync with Dropbox.
Thanks again. Excellent article.
I've been a 1Password user for years and haven't done the subscription change (yet). I'm personally not against it because I see the value in using a tool like 1Password but for new users, especially users who don't quite fully understand how important it is to use a password management system, a subscription is a harder sell.
I was helping a friend set up his new computer and mentioned that he might want to consider 1Password. I couldn't find the stand-alone license on their site so I Called them and they never told me we could purchase a stand-alone license. Very aggressive marketing of the subscription and my friend was put off by that.
1Password is a good product but they need to make an easier and cheaper way for new users to get started with it.
This is EXACTLY why many still feel betrayed. Their 'aggressive' marketing allows most to conclude they have no intention of continuing to offer the stand alone version which in turn leads most to suspect current users will be dropped or forced into a re-occurring subscription model.
Glenn, thanks for your clarifying article.
I, too, have been using 1Password for Mac and iOS for years, relying on local synchronisation. Currently, I do not consider switching to 1Password.com.
Am I mistaken, or didn't Agile Bits first say that they were only offering a cloud version in the future, before changing their tune given the reaction of users? I don't want to use the cloud, even though I understand its advantages for some, and I recall there was a bit of uncertainty at the time.
I doubt that nothing will change for existing macOS/iOS users of 1Password 6. It will probably not be possible to upgrade to 1Password 7 for a one-time fee, and for how long 1Password 6 will still be working is completely unclear.
I do understand that it is a real problem for developers not to be able to charge for updates (shame on Apple for that) and that that is a reason for developers to change to a subscription model.
However, in the case of 1Password I find $3 per month definitely too high. I bought 1Password in 2014 for $25. That the price has now gone up to $65 is in my opinion nothing but a bad joke, meant to sugarcoat the subscription price of "only" $36 (not one-time, but per year).
If AgileBits would offer 1Password for a more reasonable subscription price (i. e. $18 per year) I would probably do it. That way they would get $54 from me over the next three years - more than double what they got from me the last three years. But $36 per year is not appropriate, I think.
I tried 1Password a few years back based on TidBITs and their readers recommendations. I ran it simultaneously with PasswordWallet so no data would be lost. I have been using PW since the late 90s.
Somehow I realized 1Password was going to be a problem in the long run and I abandoned it.
PasswordWallet is available from www.selznick.com. I admit it does not integrate with browsers as thoroughly. But I have never lost any data, and it is available on all my devices for with the single purchase. They have never asked for monthly fees. I have had to repurchase it on some of the app updates but it was always a one time fee and was more than reasonable to me for an app I use daily.
I assume there are other apps that may be as good and have as few problems. But I have never used them.
I don't know why TidBITs ignores PW now. It was their recommendation that got me to purchase it to start with.
Just my opinion and I am done with this thread now.
The first paragraph of this article is just blatantly incorrect. AgileBits HAS forced Windows 1Password customers on version 6 to the cloud. You CANNOT create a local vault under 1Password 6 for Windows. Further, AgileBits, in their own forums, will NOT commit to having local vaults for the foreseeable future. They have ONLY stated they will not take away the ability in their CURRENT versions.
I can’t fully agree. Windows users can download 1Password 4, which is non-ideal, and it’s part of the bad messaging/aggressive marketing I describe. Our publication is also largely intended for iOS and macOS users, and that’s reflected in how we address the topic, in which we pick apart the specifics for Windows users and their options later.
Windows users can indeed still acquire 1Password v4.x and keep using Dropbox vaults.
However, reliance on v4 also means using legacy browser extensions, which quickly are falling by the wayside.
Windows users soon will be forced to v6 and, therefore, cloud syncing. Not necessarily by AgileBits, but by the browser vendors.
For those of us who use both Windows and Macs every day, syncing with a single canonical cloud vault actually will simplify...everything.
But it's going to be an uneven path getting there.
I know that software developers need to keep revenue coming in and that people in general are reluctant to pay for software. But, I don't have a lot of sympathy for AgileBits handling of these issues. I bought 1Password version 2 or 3. Upgrades to versions 5 and 6 (and maybe 4?) were free. While appreciated at the time, I wondered about their business model, Now they push subscriptions because they couldn't figure out how to make money by not charging for version upgrades - well, duh! Ironically I stayed on version 4 long after version 6 came out because version 4 was the last version to support Mavericks. I was pleasantly surprised at the new features and how much better version 6 "just worked" when I moved past Mavericks last year. But I didn't ask for that to be free.
I do not upgrade to every new version (went from Adobe CS3 to CS6, still there, still on Office 2011), I deplore the way subscriptions make it harder to control expenses. And I will not use 1Password as a subscription.
If Agile tries to force me into a subscription, I will drop 1Pwd like a hot potato and go back to the more secure 3M P-IN solution. No way will I put my passwords in a Cloud-solution.
Oh, I will also give Agile massive negative recommendations.
Thanks for the article, Glenn! Perhaps it is time for TidBITS to do another article evaluating and comparing the various methods and apps for creating, storing, and syncing passwords across MacOS, iOS, and WatchOS?
The problem with all these security tools is complexity. Not that security isn't important, which is to say that passwords are important. But password managers are getting harder, not easier to use. No doubt that has a lot to do with how many people have multiple devices in their lives. So 1Password, for example, has devised methods for managing multiple devices across multiple users, with multiple password vaults. Yikes! How is this not intimidating for the very people who need this kind of help the most? That is to say the average, non expert, non-techie user. Not that I'm a fan of subscription software, but, revenue issues aside, perhaps managing it all in the cloud is the simplest way to go. Tell me if I'm wrong here. I'd really like to know.
I've got 1Password 6 running on my iMac in Sierra but I don't think I'm using it right. I still haven't found the time or energy to read the 184 pages in Joe Kissell's Take Control of 1Password 2.2. Maybe I need a 3 credit collage course to get my head into it.
And, now that 1Password is moving to the cloud, the differences between it and Last Pass are disappearing. And wasn't Last Pass hacked a while back? How long will it be before 1Password's cloud is likewise compromised? The cloud and security are not exactly synonymous.
Thank you for the clarification regarding the Windows version of 1Password and details regarding the subscription, 'in the cloud' version of 1Password.
However, my feedback from the Mac community has been hostile to one fundamental problem created and defended by AgileBits. That is the removal of all reference to the standalone version of 1Password for Mac users. It has been impossible to find any reference to it on their website. Therefore, the impression of Mac users has been that they are being made victims of subterfuge, or what I call 'marketing moron' behavior whereby the reputation of a company is damaged by way of abuse directed toward their customers and potential customers. I've interacted a number of times with AgileBits regarding this situation with no resulting satisfaction, only lovely rhetoric and defensiveness. I'll gladly provide all my correspondence with them upon request. I'm extremely disappointed in their change of marketing tactics. Poor show.
If they had introduced the subscription cloud based version as an option alongside traditional 1Password, no one would have complained; but then again it is highly unlikely that many would have chosen the subscription option!
1Password has a cloud subscription option for a while.
I have been using 1Password for mac OS and iOS, on a Dropbox folder for over two years now. My two main criteria were: not cloud-based and easy to use. I paid for it and I am very reluctant to purchase any form of subscription (termination is an issue for me: what happens to my data post-termination?).
I seriously hope 1Password will not coerce me into moving to a cloud base system, which I would object and seek some other password-software consistent with my desires.