180 comments

[ 2.6 ms ] story [ 241 ms ] thread
Ugh. Agilebits left out until the very end that this is only for their hosted solution.

No surprise but looks like standalone users are left out in the cold. Again.

Much as I like and use 1Password every day, I really really do not like the fact that they moved to a hosted model.

Same here. It doesn't even make sense to me because I already have the app installed on the same computer. I should be able to access the new features of this tool using the existing implementation. I'm even willing to pay for the extension if that needs to be done!
Same here. I bought 1Password (multiple times) and have it on my MBP, iPhone, and iPad and got the girlfriend using it on all of her devices too. Matter of fact, I switched to 1Password the very same day that LogMeIn bought out LastPass.

I am not happy about them switching to a subscription model and pushing their hosted product and (in this case) making it a requirement. Yes, the standalone version is still around. For now.

As much as I dislike it, it was (unfortunately, for us) probably the right business decision to make. The standalone version will go away at some point in the future. I'm sure of that, I just don't know when it will be.

I'll never switch to their subscription/hosted product but many, many others probably will. That will reaffirm their decision and lead to them eventually completely dropping the standalone macOS version.

Supposedly, 1Password 7 for Windows will bring back standalone vaults to Windows. Since the hosted solution brings them the bulk of their revenue (I'm guessing), it made sense to me for them to focus on the Windows upgrade with hosted accounts and I forgave them for it as long as 1Password 4 continued to work. I really hope that same attitude continues on with later versions of 1Password X. Starting out with accounts makes sense so long as they add standalone support later. I'm a patient person and beggars can't be choosers.
You’re not a beggar, though. You paid for the product! Honestly as long as they don’t break the current version, I’m fine with what I bought. I have 1Password now on MacOS, iOS, Android, Windows — and I guess I can get it on my Linux box now if I want to pay a subscription.
Yes you are. You paid for a product that continues to work exactly the way it did when you paid for it. They're not obligated to give me new features to the product I paid for at no cost to me, especially when it's a from-scratch rewrite. That makes all of us beggars since what we paid for still exists and they're not taking it away.
(comment deleted)
> I'm a patient person and beggars can't be choosers.

Is it begging when you pay $50 per license for the product?

Yes it is because you're asking to get the upgrade for free. The version you paid $50 for has standalone support and will continue to work exactly as it did when you bought it. Maybe that's a caveat of the SaaS/hosted model. I don't see why they should be obligated to give anyone the version with new features for free, though.
Likely because they’re giving other users who happened to start using 1Password later, new features for free.
But those people will have to pay for the new version. They're not getting the upgrade for free either. They're either paying monthly for those features or they paid for the latest version that includes those features. You paid for the software you've been using the whole time that they haven't been using. I don't understand this attitude where users of old versions are entitled to full version upgrades for free.
This line of thought is bullshit.

When you buy a product you also buy it because:

1. you expect long term support

2. you believe in the company's values and business model

3. you trust that company to keep protecting your interests

There are many more factors going into a buying decision than "current implementation has features X or Y".

Many people are upset with AgileBits because when they bought 1Password, they did so believing that the company's strategy is aligned with them — i.e. at that time 1Password was THE offline password management solution, the other popular alternative being LastPass, a solution that relies on web interfaces and browser plugins and that has had vulnerabilities because of that.

I should also remind you that by buying a software product, you don't actually own it, you're just licensing it — the difference between a one time fee and a subscription being one of contractual obligations on both sides.

But that difference is irrelevant for the topic at hand, because you don't own the 1Password version that you bought, you cannot make improvements to it by yourself, it's not open source after all. When you buy a car for example, non-shitty / classic models at least, at the very least you are free to repair it and improve it by yourself.

And while true that AgileBits has no contractual obligations to keep delivering updates to their standalone version, I personally couldn't give a shit about the scope of their contractual obligations. Because in society when interacting with other people, we also care about other things and we are free to associate or disassociate ourselves from other people at will and the same rules govern our interaction with companies as well.

So when AgileBits no longer delivers a standalone Windows version, that's a serious reason for concern and a flag that we should look for alternatives.

AgileBits is free to do what they want of course, but we can also vote with our wallets after all. And we are also free to complain.

We've provided 30+ updates to 1Password 4 for Windows:

https://app-updates.agilebits.com/product_history/OPW4

The first release was in June of 2014. The most recent update was September of this year.

Our July 2017 updates included support for our new Native Messaging based extension system so that the extension will continue to work for 1Password 4 for Windows users. This is all offered after we stopped selling 1Password 4 for Windows.

That's 3 years of updates. I'd say that's pretty long term.

So far as I'm aware, nothing is fundamentally broken in 1Password 4 for Windows. It behaves the same way now as it did before we stopped selling it and we've continued to produce fixes and improvements for it.

I'd be curious to understand what it is we did to earn your scorn here. It's almost like we kicked your dog or something. I'm all for constructive criticism, but when the criticism isn't actually in line with reality it starts to make me really doubt the authenticity of the feedback we're getting.

Kyle

AgileBits

It's unwarranted. I'm still using 1Password 4 on all my Windows machines and it works just fine. I'm waiting for standalone support in 1Password 7 (just like most of the people complaining) but I don't feel like I'm entitled to the latest version for free. That's just nonsense. You guys have jobs and need to pay for staff and development time. I would gladly pay more for the standalone version that I am now but getting a major upgrade like that for the same price is more than fair. This guy's just being ridiculous.
The Standalone version’s support is abysmal. Just yesterday I found out it is not supported on Linux. I’m sorry, but what?

I almost regret purchasing 1Password.

edit: So complaining about lack of support for a major operating system is downvote-worthy now. Cool. Keep it classy, HN.

A lot of commercial software is not supported on Linux. The vast majority of it, even.

At one point I ran the legacy Windows version under Wine, which even worked with the Chrome extension. Had to disable some extension security policy in Chrome though.

Yeah, I saw that was an option, but installing Wine and all its dependencies (~750 MB of space) just to run a legacy Windows app is a non-starter, for obvious reasons.
Wrong again, there have been cross-platform wrappers for the (very well documented) 1P format for a LONG TIME, see here[0].

Slightly non-intuitive, but functional.

[0]: https://github.com/georgebrock/1pass

This is off topic but I've had to use AIX for a recent project and it's jarring to see the lack of software available for AIX compared to Linux. Makes me happy to go back to Linux.

So it's all relative =)

It never has been supported on Linux. Why is that suddenly a surprise to you?
I built a Linux machine to perform my development work on and found it out.

"It has never been supported on Linux", uh, okay? I'm saying it's totally shitty that a major platform is not supported.

Linux is a major platform? It’s probably as hard to write a Linux version as it is to write the other two, but it has at least two orders of magnitude fewer users.
It's a major platform amongst hackers, no? That's the core audience here.
I don't think hackers are 1Password's core audience. Password managers have a pretty wide appeal.
Yeah... Linux is not a major platform for anything except web servers and I don't think web servers have a need for 1Password yet.
I’m not against the hosted model, but at the moment for me they don’t have enough compelling reasons to use it if you purchased the standalone version. It sounds like they’re trying to get there with X and I wish them luck, but in the meantime I’m a happy standalone user.
I don't think we are. 1Password X is a purely in browser app. It doesn't have local access to your files, it is an extension. The only way for it to get data is from some server outside, i.e. cloud. Don't try to see the malicious intent where it was just practical decision.

At the moment this is the only way to get 1Password to work on Linux (except older OPW4 with local sync support under Wine). I personally happy about it. You don't have to be, if you don't use cloud. No one pushes you.

> Don't try to see the malicious intent...

I think you have replied to the wrong comment? Parent says "I'm not against the hosted model...I wish them luck"

Sorry, you're right :)
Also I see that people for some reason think that this is the only future of our apps. - Standalone apps are not going anywhere. - The original 1Password extension, which is working with standalone app is there too and in active development.

1Password X is one more thing, additional possibility. Not a replacement.

Standalone user here since 1Password 2.0, using it both on iOS and OSX. I feel that it receives pretty frequent updates, and doesn't suffer from feature bloat. It even synchronizes great with Dropbox. What are people's gripes with AgileBits' support of the standalone version?
People see progress happening on something they don’t use (because standalone is basically feature-complete) and just want to gripe. I’ve been a stand-alone user for literally as long as I can remember and have never had a single issue with 1P.
Same. I have a tough time empathizing with people who expect free upgrades forever (especially if purchased many years prior) if they don’t articulate how those upgrades should be funded.

I think it comes from a desktop software mentality, where things remained rather static relative to mobile’s rapid changes.

I don't expect free upgrades forever, but I am extremely disappointed that I will have migrate all my data to another product if they cease providing an offline version.
What does “cease providing” mean? Don’t you have the software? Isn’t the whole point of a standalone program that once you have it, the company can just go bust?
In the context of iOS at least, it has the potential to stop working or lose functionality as time goes on. Compatibility for apps that are not continuously updated is not high on Apple's priority list.
Disclosure: I work for AgileBits, makers of 1Password.

We recently updated 1Password 6 for iOS to work with the new Dropbox version 2 API. Going forward it should be fine until the next Dropbox API changes and presumably that will be a lot smoother than the change from version 1 to 2 that we just did... at least, I hope. We had several people put a lot of time into that transition.

I'm not sure if your comment applied directly to us, but for anyone wondering we tend to update 1Password pretty regularly. We are not at risk of ever being an app that falls on the "not continuously updated" lists I don't think. We were there on day 1 for Drag and Drop on iPad, and day 1 for Face ID. Much like we were there on day 1 for Touch ID and extensions.

1Password for Mac does not depend on Dropbox's API, it syncs directly to the Dropbox folder on the Mac. So as long as that doesn't change it has zero dependency on Dropbox itself.

Kyle

AgileBits

No, sorry, I probably wasn't clear. I didn't mean to say that 1Password does not provide updates.

I was just talking about the hypothetical situation for iOS apps (and thus their users) _if_ the apps don't get updates.

Disclosure: I work for AgileBits makers of 1Password

We've already announced that 1Password 7 for Mac and 1Password 7 for Windows will continue to offer standalone licensing.

Just a heads up that we're not removing the option for users like yourself that want to continue to use standalone vaults and the licensing to go with it.

That said, if you haven't, I would recommend and least trying our 1Password.com service. It was built and designed from the ground up to work for 1Password. It's an incredibly great experience. If you try it and aren't interested after the trial I'd love to hear your feedback on why. No credit card is necessary to try it.

Kyle

AgileBits

I've tried it, but it isn't for me (privacy-paranoid). That said, I really appreciated the post where you said standalone vaults would remain — made me feel like you guys cared. That's the whole thing. I literally don't need any more features besides security upgrades, and as long as I know you're still looking out for us too I'm perfectly happy.
1Password upgrades are not free, they were charging for major versions.
Just checked, last time I paid was $10 (i think for an upgrade) in 2013.
I’m sure from a business perspective 1Password X was also designed with the intent to close the free/standalone funnel and convert those with standalone onto the hosted/paid plan. It’s all about the MRR and I don’t blame them. I’d do the same thing if I was CEO. The money to pay for this R&D/engineering has to come from somewhere.
> No surprise but looks like standalone users are left out in the cold. Again.

There is no money there, without a MRR companies won't do it.

Disclosure: I work for AgileBits, makers of 1Password

This particular solution also makes the most sense for our hosted solution. Extensions are sandboxed, so the question becomes how does the standalone vault get its data into the extension sandbox? Once it's there, how do you keep it in sync?

Sure, it's possible, but it's also incredibly fiddly for the average user. While we do talk about Linux here, the extension is still focused at the average user in most ways. So having a user drag a vault into a particular folder deep in their system or really any other solution is just going to be painful and impossible to easily keep in sync.

The extension also has a prerequisite of not relying on our native applications. So any input from that side is a no go.

The other thing with this is we would've literally had to recreate a very large portion of the standalone vault code again. On Mac for instance this code is written in Objective-C, on Windows it was written in Delphi for version 4, it's not present in 1Password 6 for Windows yet but when it does exist there it'll be in C#. Our new 1Password X extension is written in Typescript and Go. So quite literally none of our existing code carries over to this. That's a big barrier to entry.

Our focus on 1Password.com accounts really made the most sense because it can get the users data directly from the web, dump it in the sandbox where necessary, and it can be easily synced. It was also a lot easier because much of our web client's code could be shared with the new extension, so a good chunk of that work was already done.

That said, I am sorry that you aren't happy about this direction we took for the extension. It wasn't specifically done to make any users made it was to try to continue to expand the options available to users.

* Make 1Password available to two new platforms that we didn't support directly: Chrome OS and Linux * Make it possible for users to not have to have the applications installed in order to use 1Password in their browser. This starts to lower the barrier to entry as well. Traditionally the install the app, install the extension bits have been difficult for some users, this helps alleviate that.

None of our decisions here were based on making users unhappy, it was trying to make users lives easier and introducing 1Password to more types of systems.

One of the main reasons we made 1Password.com was because it allowed us to do things that we could not do in the past. This extension is one of those things that we've wanted to do but couldn't. You're bound to see a lot more of this type of thing in the future because standalone vaults limited our options for a long time and we have a long list of features and things we've wanted to implement but couldn't do with standalone vaults. Now we have a backend that can help us make these things happen so we're working on them.

Now, I'm not saying you have to agree with our decisions, but I do hope that giving you some details will help you at least understand why we're doing this. Understanding why doesn't mean you have to agree with it, or like it even, but understanding does mean you can see it from our side too.

We know our standalone users exist, we're not ignoring them, but we have some really exciting projects that we've wanted to work on for a long time and are now able to do so. Like anyone else here on Hacker News we like to work on thing we're excited about too.

For what it's worth we haven't "moved" to a hosted model. We offer our standalone licenses to users who want them. They may not be front and center but they're there. We have also made it clear that we're offering standalone licenses for 1Password 7 for Mac and Windows, so they'll continue to be offered in the future.

And our existing extension is being worked on every day. We hope that some of the changes we've made to this extension will make their way into the extensio...

Just to add on to this now that I see that Agliebits staff are in this thread.

I'm not against paying for major version updates. Think of it as a tradeoff between time to market vs. revenue. I'm fine with Teams getting features first (other than security fixes) and paying more infrequently than subscription. It's certainly a business model that previously sustained Agilebits and plenty of other software providers. I get that the HN crowd may not make up a large majority of users at this point but I would think there are still many people that would be happy to spread use of 1Password via word of mouth if you deign to do so.

Thank you, @newman314!

While we think that subscription makes it easier to use 1Password and not have to purchase apps and upgrades for every platform, there are many users that prefer to use licenses. We are going to support both for upcoming 1Password 7 on Mac and Windows.

The same is true for 1Password service vs host-it-yourself model. I have 30+ vaults shared with my team and family and it is much easier to use the service but I can still keep the data locally and set up sharing manually if needed.

There are some features that are simply not possible without the servers doing the heavy lifting: shared vaults and permissions, travel mode, Chromebooks, etc. I just hope that technically savvy HN crowd understands that and doesn't see it as an attempt to push everyone to have a subscription.

Roustem, Founder of AgileBits

I used to develop 1Password for Mac and iOS. I now develop 1Password service with Go, ReactJS, and Terraform/AWS.

What does this have that Lastpass does not?
An absence of a long history of security bugs.
A designer </snark>

In all seriousness though, Lastpass is not a particularly good looking piece of software, and in small ways that does impact my ability to use it efficiently. It generally looks like 1Password is much better on this front, although I still use Lastpass because it's ~50% cheaper.

Incompatibility with Safari, Firefox, and Edge?
our main app and extension work with Chrome, Safari, Firefox, Edge.

Password X in particular is new approach and its first iteration works in Chrome only. Which doesn't mean it will not work in other browsers as well in later versions.

Fair enough. And full disclosure, I have been a happy 1Password user for years - will be a sad day if/when local storage is no longer an option and I have to find another solution.
"1Password X was designed for our hosted 1Password service and connects directly to your account."

Nope, sorry. No. Never. I'd rather change password managers than rely on a small, niche company to keep the data secure and in sync -- larger players have a much bigger advantage here.

I can see a future coming when I'll only use 1Password on my phone, and have things stored on a secure enclave. It will be slightly more of a pain to use it on a desktop, but most browsers and operating systems are building their own simplified (and arguably more secure) password vaults...

Larger players being? I can only think of Lastpass when it comes to similar feature sets.
Apple's iCloud Keychain would qualify as a larger player.
... if you omit the lack of cross-platform support
Chrome saves and syncs passwords for you out of the box. Combined with an offline KeePass database, it works great.
KeePass works great with Dropbox. These with Chrome are a pretty comprehensive solution across mobile and desktop, with layers of MFA, if the key file is stored separately.
Does this mean that all crypto in 1Password X is now implemented in Javascript?
I'm worried about this too. The entire reason I migrated to 1Password over Lastpass is that I don't trust Lastpass' extension. There are too many edge cases, too much fuzziness around "offline usage", and too much reliance on the browser. 1Password's extension acting as an anchor for 1Password Mini, which runs as a separate application on my desktop outside of the browser ecosystem, is a major draw.

I don't see how this is better in any way. What's the point?

1Password X is a pure Chrome extension and does not rely on the native app. This has its benefits and obvious drawbacks.

Some of the benefits:

* Simpler installation

* Support for multiple users on the same computer with Chrome user profiles

* Support for Chrome OS

Is this an option for Chrome/Linux/ChromeOS users to provide a more streamlined first-use experience? The "a look at the future" and "this is just the beginning" wording in the announcement blog post implies that this is the direction that 1Password is taking as a product, and Chrome support is just the beginning.

As a user who prefers a native implementation, uses local vaults, and uses Firefox, none of these advantages matter much. If it's not "for me", that's totally cool. If this new experience will replace the existing one, 1Password is no longer the solution for me.

I think the easiest way to look at this is as you said, another option for users.

Some enterprises don't allow their users to install applications, but do allow extensions, so this opens up that possibility.

It also brought 1Password support to two new platforms: Linux and Chrome OS.

As for this being the future. Imagine a world where from a design perspective this sets the tone. Thus, the beginning of the future.

It's a first version that has to compare itself against versions that have existed for years. Of course it can't fully replace what we have. It may for some though, I won't discount that at all.

For starters, there's no way to do Touch ID in the browser. There's no support for local vaults. There's only Chrome support, nothing for Safari or Firefox. There's a lot missing here.

But in terms of the future, this sets the visual design up for how you'll start seeing future updates on the other side of the extension fence.

So, lets go with "this isn't for you" :)

In fact, I doubt in a lot of ways that this is for people on Hacker News. A smaller number will probably find it useful though.

Kyle

AgileBits

Thanks for the response. I appreciate the clarification on this being the beginning of the visual design for the future. As long as _solely_ browser extensions are not the future of 1Password, then it will continue to be my password manager of choice.
It is implemented with WebCrypto APIs. The performance would be abysmal in pure JavaScript.
Does this scare you?

I'm asking honestly, I'm currently building a password manager in react native, and thus the core crypto is all js, relying on crypto-js. Would this be a deal-breaker for you?

I don't think I know enough to feel a particular way about it. All I know is that some people I respect seem to dislike it[0][1], so I've just defaulted to avoiding it where I can.

[0] https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...

[1] https://tonyarcieri.com/whats-wrong-with-webcrypto

The biggest concern with WebCrypto (with the JavaScript code using WebCrypto) is the fact that you have to trust the delivery mechanism.

If there is a problem with TLS then there is a potential for a MITM attack that could modify the JavaScript code.

Another potential issue is phishing. It is easier to create a fake web app compared to a fake native app.

s/the browser/Chrome

Hey 1Password, make this available for Firefox too. It should be relatively easy to port with WebExtensions API, since it looks like a toolbar popup.

Haven't you heard that the meaning of Browser now just means Chrome. Unless someone writes cross-browser, they are only targeting Chrome, which as a Firefox user, really sucks.
Hopefully that will start to change with Firefox Quantum, which in my brief experience has been fantastic.
Disclosure: I work for AgileBits, makers of 1Password

I posted this elsewhere, just pasting here since it's the same question/concern and gets the same answer :)

Making extensions cross browser can still be a bit difficult. Our focus here was to get something readily available for a browser that was in high demand on platforms that we were getting a lot of requests for (Linux and Chrome OS).

I believe browser support will expand over time with this extension, it's just that we didn't want multiple browsers slow our progress or prevent us from doing cool new things. Give it some time and I anticipate we'll see browser support expand.

Kyle

AgileBits

Was excited to read "Linux users and Chrome OS users could join in on the fun?" but then ". It works everywhere Chrome works" so still no love for Firefox users... Too bad the CLI is possibly the worse CLI ever made, otherwise Firefox support wouldn't have been so important.
Disclosure: I work for AgileBits, makers of 1Password

I suspect that browser support for 1Password X will continue to expand over time, but focusing on one browser first helped us make it available sooner rather than later.

Out of curiosity, what exactly do you not like about our CLI? It offers a ton of flexibility, perhaps that's part of the problem. If you have concrete issues though I'd love to make sure we get that recorded for our team.

Kyle

AgileBits

(comment deleted)
Shout out for Avast Passwords. Already does much of this for free. 1Password and LastPass always really annoyed me with their freemium model. Avast Passwords doesn't make you decide between controlling your passwords and paying for basic features. Highly recommend checking it out: https://www.avast.com/en-us/passwords
The hosted nonsense and poor linux and windows support is why I switched to enpass.
I'm glad you mentioned Enpass -- I hadn't heard of them. I'm currently a disgruntled 1Password user looking to jump ship.

https://www.enpass.io

I've been using Enpass for a little while and it's working out really well.

The thing I like most about it is that they are not in the cloud business. They have a list of seven cloud providers that they support for sync and let you pick one (or none if you don't want to sync). They also support using WebDAV/OwnCloud for sync if you want to do your own thing.

The other cool thing about Enpass is that it's available for all of the major platforms. Having passwords synced between my phone, Linux computer, and Mac is really nice.

Definitely not my future. I liked 1Password so far, but my passwords will never go to the cloud.
> 1Password X was designed for our hosted 1Password service and connects directly to your account.

Agilebits/1Passwords continued shoving of their 'hosted' services down their customer's throats amazes me. I'm not even particularly against SaaS/cloud/hosted/subscription/whatever, except a password manager is exactly the type of product that I do not want in that type of environment. Is it really impossible to have a successful software business without this BS? I guess I am in the minority but I would much rather you charge me more for the software or charge me for the upgrades, than push me into your hosted cloud-subscription stuff.

Agilebits/1Password was by far the best product out there, with astonishing goodwill amongst their customer base, which they have managed to lose, not to competitors or outside forces, but rather by incinerating it themselves.

They haven't lost any good will that matters in the long run. I find 1Password valuable enough to pay them a monthly fee and so do many many others.

They changed their business model to be more sustainable/profitable and they know that means that they'll lose a segment of customers but that's OK.

The products that won't do well with a business model like this are products that don't provide enough value. There is nothing wrong with the pricing model itself or a company choosing to adopt it.

For me, it is both about the business model and the move to a hosted service. I’m against renting tools. I will gladly buy them, and I will buy frequent-ish updates (18-24 months). I'm not cheap. I simply value ownership of both the software and my data. I have bought five 1Password licenses for myself and my immediate family; a roughly ~$300-$320 investment. Toss on another $50 for iOS licenses and you have roughly six years of subscription revenue. So, if six years of subs is goodwill that doesn’t matter, that is fine.
Disclosure: I work for AgileBits, makers of 1Password

To be clear, we aren't "moving to a hosted service."

We still offer the Pro features for iOS for $10 for users who want to purchase that instead of a subscription.

We still offer 1Password 6 licenses for Mac, they're available via the Mac App Store, our website, and in app after the trial period ends. We have also announced we'll be offering 1Password 7 licenses when we release that in the future.

We have also announced we'll be offering standalone vaults and traditional licenses for 1Password 7 for Windows.

So nothing is "moving to a hosted service." It's simply another option and it's also the option we feel is best for a vast majority of our users, that may not be you that falls in that category, but you're also reading hacker news, you're not in the same category as a majority of our users either.

Hope that helps a little at least.

Kyle

AgileBits

Disclosure: I work for AgileBits, makers of 1Password

I'm sorry if you think we're shoving the hosted services down your throat. We offer two types of products:

1. Standalone licenses 2. Our hosted 1Password.com solution

When we announce new products, like this one, we're going to scream from the rooftops to anyone that will listen. We're proud of it and a lot of users are extremely happy to see it.

Standalone licenses are not going away. I've mentioned previously in this thread that we will be offering 1Password 7 for Mac and Windows as standalone licensed apps. So if you want to continue using standalone licenses and pay for those upgrades we will happily offer them.

But because of this we also aren't going to stop improving 1Password.com and the products that we can create surrounding that platform.

This extension really wouldn't have been possible with our standalone licensed products. Because we have 1Password.com we now have the ability to offer this with the same ease of use that our users come to expect from us.

I'm a bit confused by your statement that password managers don't work in a cloud/hosted/subscription/whatever environment. Have you by chance read our white paper? It outlines how we protect your data and it's written such that nearly anyone, even without cryptography experience can understand:

https://1pw.ca/whitepaper

Please give it a read and if you have questions we'll be happy to get you answers.

In the end though, if you're a standalone licensed user, you are still going to be supported in the future so there's nothing that changes with regard to that in the future. We just now offer a new extension for users that use our 1Password.com service. And this new extension will influence the Mac version going forward so the things you see here will eventually find their way to the Mac version.

Hope that helps!

Kyle

AgileBits

In-browser password managers are completely insecure by design.

Any site can write whatever they want within the page, so it's easy to fake the prompt and steal the password. The only way to prevent this is if the password manager runs as a standalone application, so that the password is entered outside the browser. 1password has this, and the workflow is fine --- switching to the insecure one makes no sense.

How are sites going to trick the extension into believing the site is on a different domain?
The problematic bit is that the browser itself would prompt you for your master password. Getting users into the habit of entering their master password in a browser window means that it's relatively easy for sites to create a fake prompt that's likely to fool a lot of people.

1Password does a couple of things to mitigate this. First, the master password alone would not be sufficient to get access to your passwords. An attacker would also need access to your vault files (for local vaults) or your secret key (for 1Password Accounts, their SaaS offering). Second, the password prompt isn't rendered within the "danger zone" - the part of your browser window where the page you're visiting is rendered. Instead, it's a dialog on top of the extension toolbar where it's distinguishable from the site (at least with the Chrome extension for the standalone version on macOS, I haven't checked to see if this changed).

Neither of these mitigations are perfect. Leaking your master password is obviously bad either way, and while I have some faith in my ability to detect a fake password prompt that's rendered in the wrong position, that's a bit like an anti-phishing strategy that boils down to "always check the domain", which we know doesn't work. Ultimately, not using an extension reduces your attack surface significantly, but incidentally that comes at the cost of some phishing-resistance that you gain from only ever entering your password through an extension matching the domain.

You are correct. This is the main reason 1Password X never uses a web page when it prompts for the master password -- the master password must be entered in the popup that is only accessible to the extension itself.

It is certainly tricky and there are many other concerns. We hope to have a white paper about the security decisions made in 1Password X design.

I have used 1Password for half a decade, but I'm pretty disgusted by agilebits behavior as they continue to shove non-cloud users aside. The amount of customer goodwill they've burned is astounding. I think it's time to start looking elsewhere for a password manager solution.
Disclosure: I work for AgileBits, makers of 1Password

I'm sorry you feel that way.

What makes you think we're pushing you aside?

We are still introducing features in 1Password 6 for Mac, and 1Password 7 for iOS that work for both our hosted solution and our standalone users.

We are able to offer a lot of newer features to our 1Password.com membership users because that solution opens a lot of new possibilities. But we certainly haven't forgotten about users like yourself.

1Password 6.9 for iOS introduced Drag and Drop for iPad users

1Password 7 for iOS introduced Face ID, a new favorites screen, Quick Copy, and a host of other smaller features and improvements

We're not stopping there either and have even more great new features lined up that will work for both our standalone users and our 1Password.com users.

1Password 7 was also a free upgrade for any iOS user, including those that had Premium features purchased.

I'd love to hear how you think we're pushing you aside though because it'll help me understand how we can try to improve our language in various release notes and announcements to make it clear we aren't leaving you behind.

Thanks!

Kyle

AgileBits

I'm just wondering, does your period subscription license also include your "stand-alone" software?
It does.

So if you purchase a subscription, you'll sign into an account for 1Password in the app. The presence of an active account (one that's in paid status, or trial) will unlock the standalone licensed portion of the application. So you can freely use those features to your hearts content.

At least, that's how it works for Mac and iOS. I contribute to those teams specifically on the development side so I'm most familiar there, I'm not sure I know enough about Android to comment there and be accurate. If you need to know about Android I can find out though. Regarding Windows, not currently because version 6 is 1Password.com only, however, version 7 will add standalone vaults and a traditional license model, I anticipate it will copy our Mac application but until it ships I can't guarantee anything.

Kyle

AgileBits

Former LastPass employee here. Looks to me like 1Password is going full LastPass. First fully hosted passwords. Now support for extension only (which is way worse security wise).

SaaS margins and recurring revenue is better, and I guess their previous model was killing 1Password.

Yeah - I'm surprised there aren't more comments pointing this out.

When you state "their previous model", do you mean per-user pricing vs. per-device?

It's both. My guess is the product offering and pricing changes are part of the same push for recurring revenue
AgileBits employee here:

> First fully hosted passwords

In addition to standalone data

> Now support for extension only

In addition to existing apps and existing extension.

> I guess their previous model was killing 1Password.

The guess is wrong. Sorry. We said the opposite publicly multiple times.

Disclosure: I work for AgileBits, makers of 1Password

Hello fellow (or former) password manager person! Fancy seeing you here.

The previous model wasn't killing us, in fact it isn't even "previous" because we still offer standalone licenses for those that want them and will continue to do so.

For those who aren't aware of our upgrade cycle in the past:

For Mac, we last charged for 1Password 4 back in 2013. Version 5 and 6 were free upgrades over the last 4 years. Version 3 users got free updates for 6 years before we released 1Password 4 as a paid upgrade.

For iOS, version 1 was paid, version 2 and 3 were free upgrades. Version 4 was a paid upgrade by way of a new app. It went free with premium in-app purchase in version 5 and all users who purchased version 4 got the premium service free in 5, 6 and 7.

If we really were struggling making revenue work for our standalone licenses we could've charged for upgrades every year like any other product does.

1Password.com is not about the revenue, it's about making a product that we can do more with. We have exciting ideas and features we want to create and introduce to our users but we couldn't do that without our 1Password.com solution. This is simply one of those options, our command line client is another one, and we'll be showing off even more great new features like these in the future.

On the security side, I encourage any security researchers out there to try to prove our applications insecure by demonstrating it via our bug bounty program:

https://bugcrowd.com/agilebits

Happy hunting.

I hope that gives some insight at least.

Kyle

AgileBits

I'm a bugcrowd customer too, but offering a prize to say you are secure is a fallacy. It's also not how bugbounties work... Example: - https://moxie.org/blog/telegram-crypto-challenge/

The fact remains the same that the things you championed against LastPass doing are now the features and products you are providing.

You guys have already been caught erasing and hiding the previous versions on your site to convert people to 1Password.com.

I don't really care about any of this since but you guys are just not being sincere about the things you're doing. It's kind of sad.

> You guys have already been caught erasing and hiding the previous versions on your site to convert people to 1Password.com.

Wow, that is BS.

You can download any previous version of 1Password, starting with version 0.8.0 (May 2006):

https://app-updates.agilebits.com/

No it is not at all. This is what the whole debacle was a few months ago when you removed most of the download links from your website.

https://twitter.com/cryptovillage/status/884205077459738624

Every version of 1Password available on https://1password.com/downloads/ works with standalone vaults. The only exception is 1Password 6 for Windows, but there is a link to download 1Password 4 for Windows. The link for that even says "Get 1Password 4 (standalone version)".
Ouch! I just switched to Firefox 57 and I can't use this new feature! Shouldn't the WebExtension be portable across both browsers with minimal work with Firefox 57?
Yeah, it requires minimal work but some companies can't even put minimal work into their extensions so here we are...
Also on Safari 11. WebCrypto is widely available now.
Disclosure: I work for AgileBits, makers of 1Password

Making extensions cross browser can still be a bit difficult. Our focus here was to get something readily available for a browser that was in high demand on platforms that we were getting a lot of requests for (Linux and Chrome OS).

I believe browser support will expand over time with this extension, it's just that we didn't want multiple browsers slow our progress or prevent us from doing cool new things.

Give it some time and I anticipate we'll see browser support expand.

Kyle

AgileBits

(comment deleted)
Am I the only one in here who loves their hosted solutions? We use Teams at work and I use Family for my wife and I.

It's important to me that I have access to certain passwords on my desktop, laptop and phone. These items also need to be accessible to others who should be able to view/edit. There's no way to do with without some sort of cloud solution and so the decision becomes which cloud solution. I used to use Dropbox, but now have no need with Team/Family.

With teams, when a staff member leaves, we can easily remove them from the admin panel, update all passwords in all vaults they had access to and have those changes immediately available to everyone.

A lot of responses here sound incredibly paranoid and almost naive. If you're not syncing passwords between devices/users and you're not putting your information into the cloud then I would argue at some point you may be performing insecure actions to accommodate secrets use/management.

For example, how are you logging in on your phone to a service that requires a user name and password when the password lives only in a standalone system on your desktop? If you're not manually entering the password, you're likely doing something security-wise that isn't ideal.

I disagree. In fact, given the regular loss of online credentials, I think you are misguided in your faith in a hosted password solution. There are plenty of people that do not want to for very good reasons.

As far as syncing using non-hosted 1Password, I use a combination of wifi sync (for mobile devices) and Resilio (in local sync only mode, no tracker, no cloud copy a la Dropbox) to sync. Works very nicely across 5 or 6 devices and fits my use case of syncing only when my devices are on the same network.

Does that work well with multi device updates? What happens if two devices write to the database and then sync?
TBH, do you anticipate a scenario where you are changing passwords on multiple devices in short order or simultaneously?

I don't make changes to 1Password that often so while I get that this is HN, not everything needs to be scalable =)

The GP was talking about family sharing, so yes.
If you're using 1Password for Mac or iOS, then simultaneous writes are a non-issue. All sync types have conflict resolution implemented, where worst case scenario it'll put the overwritten password into a "Conflict" section at the bottom of the item.

With the other apps, you'd get nice behavior with 1Password.com because the first one to hit the server will have its record saved in the archive. That's one of the nice features of 1Password.com, getting to see item history. You don't need to worry about accidentally overwriting changes.

We’re not talking about syncing using the server but rather local file that is later synced via a file sharing service.
I love it too. I completely understand why some people want to avoid a hosted solution, but it makes sense for me and my family. I've probably recouped the subscription cost in the time savings compared to having to troubleshoot my wife's setup every couple of months.
> I've probably recouped the subscription cost in the time savings compared to having to troubleshoot my wife's setup every couple of months.

Absolutely agreed–the hosted solution made it so straightforward to get my girlfriend onto a password manager that I've never looked back. I had used the standalone version with Dropbox sync for a long time before switching, but I had enough (occasional, minor) issues with the sync process that I didn't want to push it on her and then have it become a point of frustration when I wasn't available to help debug it.

The hosted solution has been totally seamless to set up on various devices, adding additional shared and personal vaults for household accounts was painless, and my own peace of mind in knowing she uses it for everything is worth a lot to me.

> Am I the only one in here who loves their hosted solutions?

No, even though I'm fully-aware that it's ill-advised. You're picking your poison: you can either have absolute security (which should always win, but I am human) or convenience. That being said, I'm not a fan of them forcing people down their hosted route.

What part is actually hosted here? Do they store opaque encrypted blobs and pass those around, or can they see the actual secrets too?
I'm pretty confident that AgileBits only has access to the encrypted versions of stuff. They've thought about this long and hard and it would decimate their business if they did anything as stupid as storing things in plaintext. That's why you have to enter your master password... to decrypt the file.
Disclosure: I work for AgileBits, makers of 1Password

We outline the entirety of how this works in our white paper:

https://1pw.ca/whitepaper

We cannot tell what your data is. It's encrypted on your device using keys that only you know. Then we store it on our side on the server.

The unique solution of using your Master Password and your Secret Key, makes brute forcing the data on our server an incredibly expensive job for anyone attempting to do so. It makes our servers an absolutely terrible target.

I definitely recommend reading the white paper, it's quite easy to read, even if you aren't super interested in cryptography. If you have questions though just let me know. I'll make sure you get answers.

Kyle

AgileBits

All it would take for 1Password to decrypt our entire vault is for 1Password to push out a software update that simply made it so that the client app uploaded the keys to 1Password's servers after the user typed it in. Without 1Password releasing their source code, end users would have no idea if such an update ever took place. We just have to trust 1Password as a company. Well, if we already trust 1Password as a company, what's the point of even using encryption? Might as well just store it in plain text in a database on your servers and trust that your employees won't look at them!

Without open source auditing of all clients and md5 checksums of compiled binaries, security is nothing more than an illusion.

If that's your concern then I'm afraid there's little we can do to change your opinion and perhaps 1Password isn't the solution for you.

I don't mean to sound rude or anything like that. Just being honest.

We have had grand visions of offering portions of our source (notably the cryptographic portions) available for review, note, not open source in the sense you can use it but in a license that makes it available for review purposes.

If 1Password.com was the sole solution we offered then open sourcing the entire app would be potentially feasible because our income wouldn't rely on people compiling their own version and editing out the license code. But it makes little sense for us to make that available if modified copies can be made available removing a chunk of our income.

For what it's worth, we have over 90 people who depend on AgileBits to provide paychecks so people can support their families. That's a heavy burden when your decisions can impact that many lives. I'm just a member of our team, not a founder or owner or anything but hopefully you can recognize this side of things.

We'd like nothing more than to do whatever we can to get users to trust us but there are limits to what we can do and still keep 1Password alive.

If you absolutely have to see the code in order to trust an application then there are other options out there, but they won't provide the same level of support, features, or hands off management. These are trade offs you have to make as an individual. Only you can make those decisions for you.

Every person at AgileBits uses 1Password, and we design it knowing we will be using it and we are all passionate about wanting our data secure. If we did something to put your data at risk, we did the same thing to ourselves. Just another view of that I suppose.

Kyle

AgileBits

I'm simply pointing out the elephant in the room. If there is no ability to audit the source code of the password manager, and the source code is managed by a third party company, then for all intents and purposes, the third party company has theoretical access to everything (regardless of what encryption is used). It boils down to trust, and that trust can be violated by a single rogue employee at AgileBits. It could also be potentially violated by a government agency gaining control of AgileBits.
First, I'd like to point out that this concern is completely orthogonal to a hosted service, and has no connection to it.

Second, with the inability to check that a given binary came from a given source tree, open source does not help us audit what gets executed. If we're supposing that Agilebits' build process has been compromised, then we're in the same realm as considering a compromised build process for .deb or .rpm.

[Disclosure: I work for AgileBits, the makers of 1Password]

Thanks. I (as you'd expect) agree with both points.

The second one is particularly challenging. Deterministic builds are possible for some categories of software, but it will be a long time in coming. And for software that is updated frequently, it is even harder for people to practically check that what they are running is the reviewed code. But the technology is improving for this to be more practical. On the other hand, app stores move things further away from having the ability to distribute determinist builds.

This is not an excuse to not seek openness, but it does point out that there are lots of things to do that most people don't to get the benefits of that kind of inspection.

[Disclosure: I work for AgileBits, the makers of 1Password]

I'd like to elaborate on the two points made by @epistasis

1. Ability to deliver of a malicious client does not depend on where your encrypted data lives. If you sync over your own private network or if your encrypted data is held by us, it is just as difficult (or hard) to get away with delivering a malicious client.

2. There is a lot of security value to openness and having the source available, but it is only a defense against deliberately malicious software if you compile the software yourself. Otherwise, there is a very weak trust chain between the code that has been reviewed and the binary you are running.

For the first point, a malicious client wouldn't need to exfiltrate all of your encrypted data. It would only need to exfiltrate the credentials needed to obtain your encrypted data. (As well as exfiltrating keys, etc). So for the overwhelming portion of people there is no significant difference with respect to us having your encrypted data or it living some place else.

As for the second point, tools for deterministic builds are improving, but there are still practical impediments. In theory there are ways to ensure a good trust chain between the reviewed source and the binaries that people run. But these are far from ready for our target users: everybody.

So if you, say, recommend KeePass for this sort of reason, are you also recommending it to people who will check the signatures on the source and then build from that? (I have enormous respect for both KeePass and for those who use it that way. But I have less respect for those who would recommend that to everyone. I hope that we are past the bad old days of "some people don't deserve security.")

While we can't completely rule out the possibility of delivering a malicious client (through us turning evil, external compulsion, or an insider attack), there are things that we can do to make it harder for that to go undetected.

You will find that where we can we have made it easy to run 1Password attached to a debugger. People with sufficient skills can see that it behaves as we say it does. This makes it far more likely that a widely distributed malicious client wouldn't go undetected.

Also to support this (and try to gain some of the security benefits of openness), we've gone into gory detail about how 1Password works. Sure there are holes in some of the documentation, but we are slowly filling in those.

I'll also mention the third claim that a "single employee" could cause the distribution of a malicious client. Again, there is no way to completely rule that out, but it would be hard for any single or small group of people do that without running a significant risk of this being detected internally. So it would have to be a fairly large conspiracy. And as we know, the plausibility of any conspiracy diminishes rapidly with the number of people who have to keep the secret. There are many eyes on the source, many eyes on the build and distribution process, and very few hands on the code signing keys.

Several times I've mentioned "significant chance of getting caught". Consider the risks to anyone trying to do evil this way. What are the consequences to them if they are caught, and so how big of a risk will they accept? So even though we can't make it impossible for someone to get away with it, we do what we can to make it hard to get away undetected.

None of this is perfect. And you have to weigh your own choices. But when you do so, make a fair comparison with the realistic alternatives instead of against an ideal.

(comment deleted)
I really wanted to use 1Password for Teams, I don't mind paying a subscription model, and their whitepaper on their hosted solution is really quite thorough:

https://1password.com/security/

My big issue is still with the web app allowing you to unlock your vault and access your passwords. They acknowledge in the whitepaper that it's theoretically possible that an attacker could MITM your SSL connection and serve malicious javascript, stealing both your master password and any secrets you access. They list certificate pinning and DNSSec as unimplemented future actions they may take, but also need to take into account that their web app servers themselves may be compromised.

All of this could ideally be mitigated by centrally hosting encrypted password databases, but either a) having the extension/desktop app cryptographically verify all server pages and assets, or b) allowing the web UI to be entirely disabled. If they did either of those I'd sign up for an enterprise account in a heartbeat.

This is something we plan to tackle in the future. Probably via some sort of downloadable local copy of the web client. But it's possible we integrate it into each app somehow. It's still something I think we're trying to think through to try to get right before we act.

As it stands, the only reason you need to login to the web client is for administration purposes and sign up. After that the native clients handle the rest.

That said, as you indicated, we're aware of this potential vector of attack and acknowledge it.

Kyle

AgileBits

I'm syncing passwords between devices, but I'm not using "the" cloud.

I self-host ownCloud. I use their clients for syncing on desktop, and a separate utility on Android for syncing my 1Password vault to my phone. My data never leaves my hands.

My thinking, besides just general paranoia, is that while AgileBits is probably more competent than I am when it comes to securing and administering their infrastructure, their infrastructure is also a much bigger target.

It's unlikely -- given my general lack of doing anything interesting or controversial with my life -- that I will ever be specifically targetted. It's much more likely that I will become collateral damage. e.g., https://www.theregister.co.uk/2012/03/02/linode_bitcoin_heis...

I purchased the standalone Mac 1Password app, but moved back to LastPass.

I hate LastPass, and want to use 1P but LP just seems to work better. Despite being bloated and ugly.

Admittedly, I haven't tried 1P for around a year now. So as I have a license, I have been tempted to go back. Is it worth it?

My biggest gripe is in Chrome on iOS. Nothing ever seems to be able to autofill correctly and the UX is just horrible...

1. Tap Menu Button

2. Tap Share Button

3. Tap LastPass

4. Authorise Touch ID

5. Select Password

6. Autofill fails... Go back to 1. (Then hold to copy the password instead of fill)

Disclosure: I work for AgileBits, makers of 1Password

Chrome on iOS is a unique situation.

We offer two things for developers that integrate with 1Password:

1. Native application integration. The idea here is that apps that offer a login to their service/site can pull the username and password from 1Password, then insert it into their native UI controls and sign the user in

2. Web view integration. The idea here is that the developer pass us the web view as part of the process and we handle the filling.

Chrome is using option #1, so what they do is give us the URL, we provide the list of Login items, and then they take the username and password and provide the filling. For the filling parts we have absolutely no control over this in Chrome. Any filling related bugs are completely on Chrome to fix. If they used our web view filling option you'd have consistently the same filling behavior as 1Password does in Safari on iOS.

Sorry you had this experience though. Unfortunately we can't really do anything about it except say we understand your pain. We spent a lot of time and effort getting our filling systems to work as well as they possibly can and when users report issues in Chrome we have to send them off to Google to report those and get them fixed.

Kyle

AgileBits

Thanks for the response. I thought the Chrome issue may have be something like you mentioned.

The fact that you're here and replying is another reason why I want to like 1Password. I'd be shocked if a LastPass employee responded to me.

Will try copying my passwords over tomorrow and see how I get on!

Absolutely my pleasure.

If you have trouble please reach out via our support page and shoot me an email. You can ask for me directly if you want and I'll be happy to work with you to see if we can determine if any issues you encounter are those that we can fix or not.

Happy to help however I can. But thank you for being willing to listen and converse. We always love hearing from our users even if it's bad, it gives us something we can improve on.

Kyle

AgileBits

Exactly my sentiments. I want to like 1Password so much, I've even purchased it and used it but I had to store it in dropbox or something and then it had to sync with my phone which repeated failed. Things just didn't work well. This was awhile back but I remember hating my experience with it and moved on.

Now I've been using Lastpass for awhile (years?!) and it works pretty well - doesn't interrupt my workflow much but like you said it's really ugly. I've almost gone back to 1Password just by seeing screenshots and wishing that's what password my manager looked like.

I find myself wondering if keepass is going to introduce a new vault type of small individual files in a directory and move into where 1Password used to be (including "cloud" using any of many cloud storage options).

edit: Seems to me that even if you set a fixed file size of 1-2k for each entry it wouldn't be too huge, or perhaps a dual-file per entry system with one small fixed-size file (128-256 bytes?) for indexed info (URL, name, username), etc. and a second fixed at multiples (or powers) of 1KB for added data (actual passwords, password history, notes, etc.) you could mostly avoid disclosing information even about URL lengths, etc. You could probably reasonably obscure a lot by doubling the larger file's size as the minimum increment and for most scenarios the file size would still be pretty trivial by modern networking/storage standards. Would stink for binary storage or images, etc. but there are different solutions available for that.

That's how we designed the original 1Password data format (.agilekeychain). It certainly made syncing with Dropbox much simpler.

It does have its drawbacks though. Once you have too many files (and make too many requests), both Dropbox and iCloud will start throttling you.

It also might take a while to reload the data, even from the local disk. We had to add a cache file at some point.

I could see either local caching or (assuming the storage backend provides access to file metadata like date/time stamps that are internally consistent) I can think of several ways to have any instance of the application consolidate those small index files into larger ones such that you'd mostly need to load the consolidated file plus any individual entries modified since its timestamp. If those consolidated files were appropriately named you could even have multiple instances creating them at the same time without causing collisions. Cleanup could be a little trickier, but could likely be done with very little risk as long as a little bit of storage bloat wasn't a big concern.

Interesting thought experiment, thanks for mentioning your real-world experiences with it.

Yea, our current solution, as Roustem mentioned, sort of recreates the Dropbox app on Mac. We replicate the entire keychain file on the device, then perform syncing to keep both up to date.

Our newer OPVault format uses band files, each band file is named after the first character in each item's UUID, which means we have far fewer files than AgileKeychain (individual files for each item).

They both have their pitfalls, but initial sync with OPVault is infinitely faster as number of items increase. We did a ton of testing when we switched to the new Dropbox API and we had AgileKeychain's with thousands of items in them. They took awhile to sync. The same number of items in OPVault was nearly instant, at least with regard to the replication portion. Sync still took a little while due to the encryption and decryption that had to happen.

Sync with 3rd party sync services have always been quite difficult for us. Especially from a troubleshooting standpoint. It's hard to replicate certain issues because the data is incredibly sensitive for users so we can't "get" the data and instead have to try to duplicate the issue with limited information.

Every day is certainly a unique challenge :)

Kyle

AgileBits

Chrome only makes this effectively useless. Considering that the entire browser market is moving to a largely unified web extension format this is not that impressive. "Everywhere Chrome works" is simply repeating the mistakes of the past, but with Chrome now instead of IE.
Disclosure: I work for AgileBits, makers of 1Password.

This was posted in a couple different similar threads so I'm pasting it here as it's a direct answer to your concern.

Making extensions cross browser can still be a bit difficult. Our focus here was to get something readily available for a browser that was in high demand on platforms that we were getting a lot of requests for (Linux and Chrome OS).

I believe browser support will expand over time with this extension, it's just that we didn't want multiple browsers slow our progress or prevent us from doing cool new things.

Give it some time and I anticipate we'll see browser support expand.

Kyle

AgileBits

The cloud storage they are pushing everyone to annoys me. I feel like it's just a matter of time before i will switch to something else.

Also, does the average person really need a $3/month subscription even though they could just store the few KB/MB of data in their iCloud/Dropbox/whatever for free? No they don't, but they probably won't realise that anyway. To me it feels like they are trying to fool people.

A 5 year subscription would cost you $3 * 12 * 5= $180 Who would ever buy 1Password software & upgrades for $180 in 5 years?

Even though $3 a month feels like a small amount, it isn't.

Nope. I'm out then having bought desktop licenses from 1.x to 4.x for Windows and OS X.
Nothing is changing for you. Apps and extensions are still getting updates, and there is no plan to slow down. 1Password X is only for people who can't or won't install the apps (Linux, Chrome OS, corporate restrictions, etc.).
There is a segment of your users that still want the original 'on-prem' version that you started out with.

These nerds have money and understand you want a sustainable business model. Just charge these people an annual software maintenance fee and stop neglecting the standalone version. Yes it wont satisfy everyone, but it will stop all the negative PR that comes out whenever you do something that is artificially cloud only.

Disclosure: I work for AgileBits, makers of 1Password

How are we neglecting our standalone users? I'm really curious here because we are still introducing features in our existing applications that work for our standalone users.

Certain new applications like 1Password X and our CLI are only really easily possible because of 1Password.com, but just because these are being offered doesn't mean we're neglecting our standalone users.

Just recently in 1Password 7 for iOS, we added Face ID support, a new favorites screen, and Quick Copy, among others. In 1Password 6.9 we added Drag and Drop support. None of these features are unique to 1Password.com, they work for everyone and they were free for existing users as well.

Really curious how we're neglecting you though. I'd love to understand this so I can make sure we address it better.

Kyle

AgileBits

You don't discard them completely, but new things that can be made by reading local files vs using a cloud API are just made using a cloud API. Updates to current apps I'm guessing will still support local file users if it's easy.

Your website has no obvious way on how to buy the standalone version now. It's pretty obvious through behavior that it's a deprecated mode without stating it outright.

Most people can deduce it's an official PR position to deny the behavior that is being shown, like your doing right now.

But please, just be honest and say it's deprecated. Or start supporting the on-prem users again & ask for a software maintenance fee. None of this on the fence stuff. One guy that I have seen that has done it out right is this one: http://www.keyboard-and-mouse-sharing.com/maintenance.htm

Once deprecation enforcement starts becoming too much, those users are going to go away. A chunk of these customers don't want to do that although, because just paying the $24/year is cheaper than the time and hassle it would take to switch to something else. You could even combine it with the cloud version and just let people choose. But they are not going to chose that if they know on-prem is still deprecated.

You guys used to make features that would explicitly avoid server side decryption, like watchtower. We want that back.

> Your website has no obvious way on how to buy the standalone version now.

It is not easy. In the beginning we had a website that offered both standalone version and a subscription on the same page. It is easy for HN people to make this decision but we had hundreds of customers purchasing both, most of them having no idea what is the different between license and subscription.

Since the purchase-separate-license-for-each-platform-and-host-data-yourself requires more expertise, it made sense to make it less visible and make the subscription option to be default.

> You guys used to make features that would explicitly avoid server side decryption.

All encryption is still performed on the client side. In fact, with 1Password service we went overboard and now encrypting much more data on the client side than we used to.

We also added a separate Secret Key that makes sure the encryption strength does not depend on the master password alone (many people still use pretty weak master passwords).

Just charge an upgrade fee for the next stand-alone version and then you can get your revenue back.

But not charging for stand-alone upgrades you make it seem like the only choice for a revenue stream is cloud-hosting.

Will you charge an upgrade fee or not? (for stand-alone)

We've already announced that 1Password 7 will be a paid upgrade for both Mac and Windows.

As I stated in other threads here, those options aren't going away. However, we will be very unlikely to make standalone licenses a front and center option. If you expect them to be right there next to the 1Password.com solutions, then I'm sorry but I don't anticipate seeing that happen.

This does not mean we don't offer the standalone licenses, it just means we aren't going to make them a focal point. Those who want them can get them and we haven't stopped anyone who has wanted them from obtaining them.

Kyle

AgileBits

Too little and too late. It took then years to finally announce (partial) Linux support. By this time most multiplatform users like myself tired of waiting and switched to other password managers like LastPass.
Anyone else having issues adding a second account? I goto chrome://extensions/ click on 1Password X "options" > + Add an acct. I then get prompted to login to my 1st account, have no option to add a second account.
So found it - there is a "Sign in to another account" at the bottom of the login page.