…but they will still be selling individual non-subscription licenses through their own website, so anyone who wants to avoid a subscription can still do so.
Still, this is a trend I will have nothing to do with if at all possible. And besides subscriptions, version 7 will only sync using their back-end, which is not acceptable for me.
On one hand, password managers in browsers are becoming nearly good enough to cover for 80% of my use cases, and most of the other 20% boil down to convenience (ease of pasting, updating, etc.)
I don't like the idea of being forced to move to a subscription on my Mac and on iOS for diminishing returns in feature improvements -- and I've been using 1Password for many years now, so the need to finance new features is something that I understand but have seen little return from.
By all means ensure you can sustain revenue, but beware of inflated subscription prices.
(I've been keeping tabs on alternatives for a while now, so I will likely not upgrade to 1Password 7)
Anyone making software wants Abobe/Microsoft margins and enterprise like recurring revenue for their random product.
At least in the case of 1password the rate isn’t usurious, but the biggest problem they have is due to a business decision to make the product dependent on a SaaS-like service delivery model.
If it's cloud-based sync, then a subscription model makes sense, but I've yet to find a subscription price that is in line with what I think is reasonable (~$2 / month) for the service.
What alternatives do you have in mind? I was thinking the same, but haven't done much research yet. I definitely want to have more control over my passwords.
I'm not sure what your criteria are but I've been using LastPass (Enterprise) with 2FA (Yubikey) for a couple years now. Aside from the Yubikey, the key benefit is I can share a folder with someone using the free version.
It's not cheap but it works and afaik it's secure (esp with the Yubi).
1Password Family accounts have support for free guest accounts that can be used to share information with other people without requiring them to purchase.
>And besides subscriptions, version 7 will only sync using their back-end, which is not acceptable for me.
What. I'm using 1Password 7 with a standalone license. I installed the beta, paid the $40 it cost for a license, and it works fine with iCloud and Dropbox same as always, I moved right from 1Password 4 and the only change I did was to purposefully force a resync so that all shared keychains would be updated from the ancient format to the newer one (if you were on 1P6 that wouldn't be necessary).
I'm not a fan of their subscription efforts because I think it's actively subtracted from what they could have done for the standalone version, and I don't think they've been fully honest about it which absolutely rankles. They talk big about benefits but they don't actually acknowledge costs or the profit motive. Even so there is a really oddly high load of objectively, trivially disproved FUD swirling around these HN articles about them now and I don't fully understand why.
Good timing that I moved all my passwords from 1Password to Emacs and GPG one year ago. It’s a pity; I’ve been a very happy customer for a long time, had licenses for multiple machines and was happy enough to pay for the updates.
But my data shall be my data, again. I’m not paying for an app that I regularly have to buy an upgrade for and which doesn’t give me the opportunity to hold my data locally after explicitly having this as a selling proposition for many years.
They're still selling standalone versions for MacOS & Windows that run off local storage. Doesn't seem like they're doing multi-OS license bundles anymore, though, so it's gonna run expensive if you use more than one OS.
This is accurate. In general / on average standalone vaults require more support, and the price of licensing compared to subscription pricing reflects that.
Could you comment on your emacs setup? I see a few threads on this from Google, but just curious what your setup is and maybe some tidbits about the pros and cons of this kind of setup. Thanks in advance.
People keep bringing this up, and it feels like a major failure of Agilebits marketing approach.
The subscription service changes the frequency at which you pay Agilebits; it does not mandate how you store your data. 1Password 7 continues to allow all the kinds of local/Dropbox/etc vaults that prior versions allowed.
If somebody at Agilebits is reading this thread: look around at these comments. The lack of clear information about local storage in the subscription model is causing massive levels of customer concern.
I think it is likely that they want to hide this option, as they have hidden the standalone version. I think their long-term plan is to have everyone on their subscription with data stored in the 1Password cloud.
This reduces support and development load (no need to support local/Dropbox/Wifi sync with all its edge cases) and guarantees montly/yearly payments.
I think they’ve actually been quite upfront about the option, even if it’s not front and center on the website right now.
Both the standalone subscription and the local vault support have regularly been mentioned in announcements and updates for 1Password 7 from the start. My impression is that agilebits understands how important these options are to their users and have invested in keeping them around for the long-term.
The support and development load is indeed much higher when it comes to standalone vaults. There is an infinite number of scenarios out of our control when it comes to Dropbox and WLAN sync. Several times in the past we had support inbox at over 10,000 emails waiting for response.
If AgileBits was VC-funded then we would have to drop standalone vaults, no doubt. It is a good thing that we are not. We do care about our long-time customers and will provide standalone vaults for as long as there is demand for them. Just please do not ask us to make it a default option.
The local storage model is only really desirable for the more paranoid subset of software/IT folk, and those people have a lot more options than just 1password because they're technically savvy enough to work with open source solutions. Their actual target market is drastically larger than that subset of users.
I understand where you are coming from and we thought about advertising this feature.
However, it would not be the best option for most of the customers. They would have to understand how to take care of local vaults, including syncing, backups, etc. It is really an advanced feature for very technical audience.
My concern isn't that you aren't advertising the feature, it's that your marketing speaks in many cases directly contrary to your real feature-set. Taking an example already quoted elsewhere in this thread:
> 1Password 7 from the Mac App Store will only support our hosted service, as that’s what you’re purchasing with a 1Password membership. If you install from our website, you’ll have to option to use a standalone vault synced via iCloud if you purchase a standalone license, or use our hosted service if you purchase a 1Password membership.
> As it stands, though, how you purchase 1Password is intrinsically tied to where you store your vaults and how you sync them
This was directly in response to a question about the ability to continue using local vaults in 1Password 7, and it doesn't say that local vaults are an advanced feature, it says they will not be supported by people who buy a subscription.
If y'all just didn't mention the local vaults in most of the marketing, and then there was an "Advanced users only" section that said "however you pay us, you'll be able to keep using local vaults just like always", you'd solve a whole broad spectrum of the concerns you're seeing on this page.
This quote was posted in response to a question about the Mac App Store and is taken out of context here. We’d strongly encourage anyone looking to subscribe but use standalone vaults to do so through our website, rather than the Mac App Store. I can’t guarantee that’ll be a viable setup through the Mac App Store. When done through our website though it definitely is. It isn’t the recommended path (as you are paying for features you won’t be able to use), but it is possible.
I’m sorry for any confusion caused by the comment. Hopefully this clarifies.
I have been using Bitwarden for some time now. It’s an open source password manager. There are apps for all major platforms and extensions to all major browsers. Checkout https://bitwarden.com/
To be precise, their base software is Free software, licensed under the AGPLv3. The also distribute non-Free (and non-Open Source, and non-gratis) software.
Their base software has an artificial limit in terms of number of users and number of 'collections', which goes contrary to the ethics of Free software.
I saw all that but it looks like you've got to pay a monthly fee for full access for their cloud storage. Not sure its worth the hassle of migrating to in this case.
Maybe, but Bitwarden is open source, and Enpass is not. It's not important for people unless it is important for them, and in that case it's usually very important.
It's $1/month to support open source software. That's not a bad price. You can also choose to use their hosting for free too; I was doing that for a few months before fully adopting it.
Your passwords are stored on their server. You'd have to compile and run your own server, which is more expensive than the $1/month they're asking for.
> You'd have to compile and run your own server, which is more expensive than the $1/month they're asking for.
For people like me that already rent a VPS for their mail and website the marginal cost is $0 except for the time it would take for me to perform the installation and setup.
If the system is good and stable then the "cost" of the time that I would spend installing it on my server would be close to $0 when divided over the amount of time I use the software in the future.
I think another plus of buying their service is your supporting development of the software and saving yourself time, while a critical piece of your security software remains open source.
So you’re paying for the service they offer: a hosted version. You do so because it’s cheaper than hosting your own. There’s no conflict at all with any open source ethic.
> which goes contrary to the ethics of Free software.
No it doesn’t. Free software doesn’t have to be free: Even on the GPL page it’s written that it’s even ok to sell free software. It’s only unethical if you equate OSS to software communism, but that’s another topic.
So anything that encourages the user to either use the freemium, then either dive into the code or either pay, is ethically correct. After all, you can download their AGPL, knock the limit, and redistribute. At which point you’ll be a contributor and while you’re at it, you’ll probably make a few other improvements: it means effectively free for contributors, which is awesome. See, it articulates quite well gratis, contributors and funding.
It’s only designed to make enterprises pay, which is good because they can “donate” huge sums for good software, so it funds the open-source community quite well. And it retains the qualities of OSS: You know what you install, you’re not tied to the editor if he dies, and if they stop improving the software, a contributor can take over their code and become more famous. Win-win-win.
Interesting in that you can host your own instance of their cloud server, but I really prefer something that uses standard cloud storage mechanisms (Dropbox, iCloud, etc.) for sync and works on top of that.
Like others here, I'll probably be reevaluating my choice when it feels like it's time to upgrade. For me, some of the open source solutions are perfect as far as the underlying storage format and sync technology, but lack good browser extensions that already understand all the quirks of various sites. That's the kind of thing that a commercial product can tend to do a better job at.
You can get it to recognize fingerprints or a short version of your password if it's even been fully unlocked for the current phone session. It's a little fiddly and may not meet the level of security you're looking for, but it's an option.
I don't use any plugins. I just copy/paste, which if you're doing it from the app stores the copied parameter in memory for a ~15 seconds, after which it is flushed.
I use Enpass for this, which uses any kind of regular cloud storage backend and has a fully-featured desktop client and browser fill plugins for free. The mobile clients cost money ($10 per platform, once) which I think makes perfect sense.
I've been an early adopter and really they are coming in leaps and bounds. The only complaint I have is that integration with iOS apps is very very spotty, but I believe that's an issue with Apple muscling 3rd-parties away from that field (and to a certain degree, an issue with developers not following best practices in their apps).
I'm glad they're at least offering non-subscription licenses. I hate feeling like I'm having to buy the software over and over again, just to get security updates.
While 1Password works better than the rest of the pack, they're not exactly a fountain of new, needed features.
Came here to say this. I lost a lot of customer loyalty for 1Password after they did this to me. Unless I missed it, no mention of the price of version 7 in the blog post.
They announced a price for the windows version. It will be $65, and you get a $25 discount if you've been using the beta version. I assume Mac licenses will cost the same.
1Password 7 re-adds local vault support to Windows for standalone license users at the very least. Not sure about subscription users... as there seems to be conflicting information about this.
They needed to rewrite their Windows version from scratch multiple times and their first major release from this rewrite marathon was 1 Password 6 which had no support for local vaults.
This looked like a clear deprecation of their local vault support but their Mac and Android versions never dropped support for those. I don't know if AgileBits ever planned to drop that from the other versions but after some vocal feedback from their users they stated that local vaults will remain.
The upcoming 1 Password 7 is the first release after the rewrite to support local vaults again on Windows. (BTW, their previous Version 4 for Windows with local vaults was still supported during the 1 Password 6 timeline. Afair, they stopped to sell stand alone licences for those after a while.)
They lost me over this issue too. It felt like they only decided to support local vaults again because there were so many complaints from loyal users about the deprecation, which makes me think at some point they may try to end-of-life it again. I wouldn't mind paying for a new license every few years, but I don't want anything on their cloud.
I don’t really get this perspective. You can continue using the version of 1Password that you bought without issue. The expectation that your purchase years ago should entitle you to updates forever is pretty ridiculous.
when utility or productivity tools are offered at a fairly steep price point as 1password was people usually have a reasonable expectation to receive long-term upgrades.
It's not ridiculous at all because it generally is the norm.
I spent around 45-50 dollars in 2013 for the Windows+Mac Bundle and iOS apps. 1Password 7 is the first paid in my experience using the software, which is vital to me every day.
Roughly 10 dollars a year for a critical utility software isn't "fairly steep," and I also fail to understand how so many years of free updates imply any type of "reasonable" expectation of long term updates.
Better security and better user experience to start with.
Unlike most of competing products, 1Password encrypts pretty much all information, including vault names, item titles, URLs, tags. It is easier to list what's not encrypted. It is also probably the only product using SRP.
Now check out what information is sent in plaintext or base64-encoded in other products.
1Password service has completed SOC 2 type 1 and 2 certification as well. It is more about internal company processes and how they are followed than encryption.
"Hey your data is safe just because we have SOC 2 certification" -- that's not want you want to hear.
Someone who purchased 1Password 3 when it was first released on the Mac App Store in 2012 has already received six years of free updates to versions 4, 5, and 6.
As far as I'm concerned, AgileBits has gone well above and beyond what is reasonably expected in terms of providing long-term upgrades to existing users. For those people to now turn around and complain that they aren't also getting version 7 for free... frankly comes across as entitled and ridiculous.
If you’re referring to 1Password here we’ve never advertised included upgrades forever. Licenses have always been sold per-person, per-platform, for a version of 1Password (e.x. 1Password 6).
Including perpetual upgrades for a one-time fee wouldn’t be a sustainable business model for us.
I have lurked your forums for a long time. You and your team are experts at delivering limitations through omission while hyping something. Signing your post doesn't make this less true, and isn't going to make my criticism of your closed-source, rent-seeking software less harsh.
I've been using KeepassXC (KeePass w/ macOS GUI elements) and enjoying it. It's a little simple (you just copy and paste the PW). It doesn't do fancy autofill but there's support for pretty much every OS.
> KeepassXC does have a browser extension for Firefox & Chrome.
Yeah, but IIRC it doesn't on iOS? I dunno, it hasn't been a big pain point.
My solution has to use the Firefox password manager for low value things (like Hacker News), and manually c/p for the higher value (bank, retirement account, etc).
(Maybe I'm overly paranoid but I don't like to put high value passwords into the cloud)
It's Safari-only on macOS, as far as I know. It does work with iOS apps and it doesn't work on Windows. It can't replace a password manager unless you use Safari on macOS as your primary browser.
Ah, I see why it’s useful for me: I use Chrome and Chrome stores passwords per profile. And I have several profiles that must not be shared (private, work-dev, work-sysadmin...), and an OS-wide password manager would be super-prone to mistakes. I also use Firefox for non-Google-approved work (ex: MRA and James Damore), and, same, profiles work super-well.
On macOS, Keychain Access.app (built in) can be used as a stand-alone app to generate and store passwords.
WFIW I’m using a plain text file in an encrypted disk image, because I started before I found out about Keychain Access.app, and I never actually trusted third party apps for security reasons and possibly paranoia, so I can’t compare UX quality, but it is available in a form on the desktop.
The purpose of a password manager is some kind of multi-device password sharing. Plain macOS keychain doesn't do that at all. There are certainly ways to manually emulate parts of the behaviour of a password manager, whether it's with Keychain Access or post its in your wallet (or various combinations thereof). Password managers are about automating all that.
It is multi device though. Sure it’s Apple only, but it’s all my Apple devices, macOS and iOS (I don’t have a watch or a TV), not just wherever the password was created.
It's not. Keychain is not synced across devices. iCloud keychain, a separate service, can sync parts of keychain.
iCloud keychain is a perfectly reasonable (and as a UI, probably better than anything else) password manager iff you use Safari as your main browser and all your other devices are Apple devices.
OK, that’s something I didn’t know, and I may be missing something from such a silly name overlap. However, I do have items in Keychain Access.app which are from iCloud. What gives?
Keychain Access lets you view your local keychain (i.e. your device's secure trust store). If you have iCloud keychain turned on then certain parts of your keychain will be synced across devices so you'll be able to find, say, a web password you generated on your phone on in your Mac's keychain (via Keychain Access and otherwise). The terminology is a bit confusing, that much is true.
If you can live within the constraints of iCloud keychain (the Safari/Apple devices thing, don't need stuff like 'team sharing, etc) it's arguably a better solution than 1Password.
> Guys, why not Keychain, the default password manager of macOS?
Because keepass files are cross platform. macOS, iOS, android and all the flavors of Linux support it.
I also strongly prefer having a locally stored password DB on the device rather than letting it sit in the cloud. (Even though I have an admittedly strong passphrase)
I honestly can’t remember when I last paid for 1Password, yet I use it on my Mac and iOS devices (since 2011 it seems!). It never prompts me, it just works. I don’t follow the pricing policy changes, the only thing I know is I don’t want a subscription. I just want to pay for this great piece of software.
So I hope this just means I’ll shell out $50 or so and be done for a few years? If so, then great.
It doesn't mean that, they are aggressively making sure it will never mean that again, and it definitely won't be fifty bucks for a few years. (It's $36/yr.)
I'm interested in where it is. I have recommended 1Password to friends saying that I had heard standalone version was still available, but I am unable to find it on their site.
The blog entry even states, “While still tough, this decision was easier to make as people looking for licenses will be able to download 1Password 7 directly from our website. I know this isn’t ideal for those who love the Mac App Store and prefer to purchase standalone licenses and I apologize for that. But overall I believe this was the correct decision to make.”
A little of both. I did a check and I literally couldn't find it. If it's that well hidden (I have a few licenses from prior versions, so I'm not a stranger to the site) isn't that effectively not having the option?
My comment was a response to '1Password is making it so you can never buy a standalone version again'. This isn't true. It is true that they try to steer people into a subscription. But if they wanted to kill the standalone version, they would have. You can download the 1Password 7 beta right now and pay for it once.
There is no reason to believe that. I paid for 1Password as a standalone app THREE TIMES, only to discover later that my versions are all being orphaned, will not be updated, and will not receive key features.
What do you mean there is no reason to believe that? The very latest 1Password (the one that's in beta and not even in wide public release yet) you can purchase without a sub right this second. What's the part that you don't believe?
> Those of you with a standalone license for version 6 will be prompted to subscribe or purchase a license when the beta first opens. Licenses will be available for $64.99 when we launch later this year, but are available now for only $39.99.
Office 365 gives you a full office suite (including outlook) + 1TB of online storage + 50GB ad-free mail for 70$/year. According to complexity rules, 1Password shall ask for 36$/century.
This isn’t even a reasonable way to compare product pricing. Xbox Live Gold costs nearly as much as Office 365 Personal annually, and it is barely useful unless you own games to go with it. Or we could compare Office 365, at $70, to Apple iWork, which is free. Sure, Office has more functionality, but does it have infinitely more?
Office 365 operates at scale. Of course they can offer prices that low for so many valuable services. They have millions upon millions of users. The more customers they acquire, the cheaper it is for them to offer those services per customer.
I really like 1Password, it has been my daily driver for years. The creators gifted me versions for macOS and iOS years ago, so I never had to pay for it - which I would have done happily and, in fact, just recently did.
But the push to the cloud versions gives me headache. I don’t want to sync using their cloud - I actually sync using a WiFi server. While it’s (still) possible to obtain the standalone versions, it’s difficult to find them. And I expect that in a few years, they’ll be gone completely.
I am looking into Bitwarden at the moment as a self-hosted alternative but I haven’t decided yet.
It's worth noting (and not super obvious because of their marketing) that "getting a subscription" and "using their cloud sync" are not a mutual requirement. You can pay via subscription and continue using local/Dropbox/etc vaults.
This part was super confusing to me until I dug deeper when a friend upgraded.
So the primary impact of switching from standalone license to subscription, if you're planning on using 1Password for a while, is that instead of paying a larger chunk of money every so often when they drop a new major version, you move to paying a flat couple bucks a month or larger chunk per year.
Thanks for pointing that out, that was, indeed, not clear to me either. But I expect this will change at some point, for the sake of simplicity for end users. Giving up security for convenience.
I doubt that, personally, because of exactly the reasons you and others are noting in this thread.
Especially in a world where they successfully convince everybody to pay a monthly subscription, the effect of losing every user who wants local vaults would be an immediate visible blow to their revenue stream.
Their goal in moving to subscription services seems less driven by simplicity and more with making that revenue stream more predictable. But whoever runs the marketing side of the house decided the best way to pitch the change was by saying how great the cloud hosting was, and looking around at these comments I hope they realize their error.
I've used 1Pw local sync for years, and it's very finicky. When I've contacted support, they only offered suggestions like "restart the app", or "upgrade to the latest version" (even though there's nothing in the changelog which seems possibly relevant). Some days I'll add two new passwords, sync to my other Mac (multiple times, even), and only one of them is transferred.
The move to their own "cloud" as the primary sync system pretty much ensures other sync methods will never get properly fixed. I wouldn't have recommended 1Pw to people looking for non-cloud sync in the past, and now I definitely wouldn't.
As a counterexample: I've been using dropbox sync for years, 1000+ passwords, only ever had one problem due to a conflict ("lost" password I made on mobile, resolved by picking the right conflict-file in dropbox).
That said, I refuse to use cloud-stored browser-accessed password managers, and it's looking more and more like they're pushing for that to be the only option. Not there yet, but oh boy are they pushing it down into the deepest corners of the website.
Not even slightly. Encrypted at rest -> who cares where it is stored or how it's synced.
Desktop app: I can stop updating, firewall the app, use offline, airgap a computer, I have many options for reducing my attack surface.
Website: I have literally no way of locking down a version, possible-but-I-haven't-seen-it to be notified of changes (but likely not block them), and it would be rather trivial for the site to ship new JS that simply uploads your password once entered.
Not that I think you are. I assume you'll approach that with the same level of care as you've given your apps (which has been fantastic). But I do think that you're a gigantic payout if someone successfully breaks in. Why should I throw my eggs into such a large, internet-connected basket?
---
For comparison, injecting a malicious update into the apps to do the equivalent of a trivial, invisible JS change means: 1) getting a change into the binary (maybe they brought their own tho), 2) breaking into your app-signing system which is hopefully among your most-secure locations[1], 3) distributing the app to both customers and employees with a visible update notification, and 4) not getting caught before I download it. For each app. Websites are far, far easier to take control of.
[1]: I'm not aware of any server-side security-oriented frontend-web stack which would mitigate this in the slightest. I hope there is though! I'd love to read up on it if anyone knows of one.
It is finicky! There are multiple components outside of 1Password control when you are using Dropbox, iCloud, or WiFi sync.
We do our best to find, troubleshoot, workaround these issues. We have built an entire Troubleshooting and Diagnostics utility just for that:
https://support.1password.com/diagnostics/
For the majority of users sync with third-party services works well. However, there cases when it gets finicky.
I don't use any third-party services. I use what 1Pw calls "Folder" sync, as it's the only non-cloud method available. 1Pw on Mac #1 saves a binary file to disk, and 1Pw on Mac #2 loads that file from disk. There's no components here out of 1Pw's control. Sometimes, 1Pw simply doesn't write the file on Mac #1, as I can tell by the modification timestamp.
I ran 1PasswordTroubleshooting.app, and sent in the 400KB report it generated. The response I got from tech support mentioned nothing about what might have been found in that file (or what they expected to find, which could prevent data from getting from the application to the filesystem). They simply gave the usual spiel about restarting/upgrading.
> So the primary impact of switching from standalone license to subscription, if you're planning on using 1Password for a while, is that instead of paying a larger chunk of money every so often when they drop a new major version, you move to paying a flat couple bucks a month or larger chunk per year.
One thing that is not clear to me is what happens with the subscription license if you go a long time without internet access. With the standalone license, it checks the validity of the license when I enter it, and then I'm good as far as I've been able to tell forever more.
If I take a laptop with a 1Password subscription, fully validated and synced, and spend 6 months with no internet access, will 1Password continue working?
Remember, 1Password is often used for more than just internet passwords, so wanting to use it with no internet access is not unreasonable.
I'm surprised that no-one on this page has mentioned PasswordSafe (https://www.pwsafe.org). Open-source, supports cloud (Dropbox and iCloud sync) and local storage, available on Windows, Linux, Mac, iOS and Android, and has good pedigree (Bruce Schneier). Gets regularly updated.
I've been using this for years across multiple devices and O/S. A real lifesaver.
> If I take a laptop with a 1Password subscription, fully validated and synced, and spend 6 months with no internet access, will 1Password continue working?
Yes. Obviously it won’t sync with your other devices until you restore connectivity.
The developer's comments on the article contradict what you're saying:
> 1Password 7 from the Mac App Store will only support our hosted service, as that’s what you’re purchasing with a 1Password membership. If you install from our website, you’ll have to option to use a standalone vault synced via iCloud if you purchase a standalone license, or use our hosted service if you purchase a 1Password membership.
> As it stands, though, how you purchase 1Password is intrinsically tied to where you store your vaults and how you sync them
It's super frustrating how vague and contradictory they're being about this :\
I understand why they're subscription-only for the mac app store, as a way around its insane lack of pricing flexibility. Makes sense, fully support, etc. But they seem to be continually pushing the non-cloud options further and further away from visibility :|
I get the impression that anything that is not on the agilebits cloud is legacy and they will eventually stop supporting the other options bit by bit, despite what they say on HN forums.
I understand the attraction, from a software development standpoint it's much easier to make everything work well when you control the server and client software together.
This. The writing is on the wall ever since the subscription model hit. I'm holding out until stuff breaks, and then I'll transition to something open source for my very modest needs.
Sorry for the confusion. This is simply incorrect and I need to hunt down who is saying otherwise and get this fixed on our end.
If you have a subscription you can create standalone vaults outside of your subscription and sync those using iCloud, Dropbox or WLAN sync if you wish.
This behaves the same in version 7 as it did in version 6.
The first reply on the top comment of the official blog post says "1Password 7 from the Mac App Store will only support our hosted service" so you should probably start by correcting that...
If you download 1Password through our website instead of the Mac App Store you can indeed use a subscription with standalone vaults. It isn’t the recommended configuration, as you’re paying for features you can’t use, but it is possible. We intentionally don’t talk about this in marketing as in the past it has caused a lot of confusion, particularly with less technical users. HN is obviously a different audience, and we can talk about that here.
Assuming that's correct (since the blog post still strikes me as vague), the answer is clear in their reply: memberships are exclusively cloud, standalone licenses are exclusively local backups / sync.
I’m currently using the 1Password 7 beta with a subscription and no standalone license. I have one vault that is stored in Dropbox and another that is just local.
I have no idea why they’ve decided to handle what they’ve called out elsewhere in this thread as an “advanced feature” that won’t be going away by lying about the feature not existing.
It seems so weird because their subscriptions work exactly how I’d want them to work, but all their public statements actively prevent people like me from knowing that.
Yeah, if it is (and stays) like "memberships get all apps + cloud sync + can still use dropbox sync" I'll happily switch. But I've asked them this question like 4 or 5 times now, and each time I've gotten a slightly different answer.
It's completely ridiculous. And it's burning trust, in a fairly inherently distrustful crowd like you get when you're in the security / crypto field.
I'll clarify for you then :) I'm a developer on our Apple team (Mac and iOS).
If you purchase a subscription you can create standalone vaults and sync them to Dropbox, iCloud, WLAN or Folder just as if you had purchased a license. You'll have both an account (which has vaults in it) and standalone local vaults that can be synced as above.
This is how it behaves in version 6 and nothing has changed with this in version 7.
So if you'd rather have a subscription AND just use standalone vaults you're welcome to do that.
Not however that this may not be true for Android or Windows. I'd have to double check with those teams as to how they do it but at least with regard to Apple platforms this is a viable option if you so choose.
I've brought this topic up internally and hope that we can all be on the same page. My suspicion is that someone from a non-Apple side of the company is answering these. It's tough because our Windows and Android apps are still trying to play catchup with Mac and iOS, so they may not do things that Mac and iOS do.
I do apologize for the confusion though. That said though you can take my answer and trust it. If you have questions though please reach out to our support and mention me specifically (Kyle) and they'll get you in touch with me.
Only one standalone vault is allowed for Android, it doesn't have multiple vault support.
However if you have an active subscription to 1Password.com it will unlock the Pro features for that single standalone vault. So it behaves similarly to how 1Password for iOS does in this regard. The difference is that 1Password for iOS supports multiple vaults.
But the push to the cloud versions gives me headache. I don’t want to sync using their cloud - I actually sync using a WiFi server.
But it has nice benefits as well, they have a Chrome/Firefox extension (1Password X) that goes with their cloud that works on Linux. Understandably, it would be harder for them to offer this on top of Dropbox or Wifi sync.
There's no requirement whatsoever that 1Password X be exclusive to a privately-run cloud. Easier to build, possibly (though since it includes the difficulty of building the cloud service in the first place... oh hell no, 100x harder), but it could work just as well with manual syncing (point to a url -> download the backup, or just give it the file).
Implementing things is not the hardest part. Supporting customers is the hardest part. Things will break and with manual syncing support is going to be a nightmare.
My point is that it doesn't need to sync. Ignore syncing. I'd even prefer to download and upload the backups by hand, rather than put it all in someone else's control in a browser environment.
Cloud password systems are like running all your security-sensitive code in an Electron app - an impossibly large attack surface with many significant flaws in some of your most-sensitive use. It doesn't make sense if you care about security at all. At least extensions are moderately well sandboxed compared to websites (since it'd be trivial to ship new javascript from their site).
1Password X is an extension that is sandboxed. However, default sandbox is not enough. We also spent a huge amount of effort on its security model. Here is more information about it:
Try building a password manager that doesn’t sync and let me know how sales go. :)
> Cloud password systems are like running all your security-sensitive code in an Electron app - an impossibly large attack surface with many significant flaws in some of your most-sensitive use. It doesn't make sense if you care about security at all. At least extensions are moderately well sandboxed compared to websites (since it'd be trivial to ship new javascript from their site).
You are correct in that the web browser is a very hostile environment. We're working to minimize what tasks need a web browser, and have already got it such that the entire sign-up flow can be completed in-app at least on iOS.
> Try building a password manager that doesn’t sync and let me know how sales go. :)
Well... 1Password arguably doesn't sync (until the cloud stuff). It stores files on disk, dropbox syncs it behind the scenes. Given my backup size vs how often I change it: I honestly wouldn't care if it were one blob that were uploaded / downloaded at once for every change, rather than all the small pieces it does now (I assume this is to speed up sync (by a ton)? It's also a major source of sync conflicts that lose data, since dropbox will store both copies on conflict (minus bugs), so it's a horse apiece).
So it works pretty well, apparently. See also KeePass* and many other local-only password managers which people sync via scripts / dropbox / etc. They're doing fine, though 1P is dramatically better than the competition and I'm plenty happy paying for it.
> While it’s (still) possible to obtain the standalone versions, it’s difficult to find them. And I expect that in a few years, they’ll be gone completely
They mentioned somewhere on their site (I don't remember exactly where...it might have been in an answer to a question on the forums) that one of the points of 1Password 7 is to bring the standalone versions up to parity with the subscription version.
Right now, standalone and subscription are essentially different products, with all new feature work going into the subscription product. With 1Password 7, they become essentially one product with different licensing options.
It sure didn't sound like they plan to get rid of standalone.
Every release of 1Password includes both subscription and standalone features. The download is available here:
https://1password.com/downloads/
We always try to implement the new features for both standalone and subscription customers, when it is possible. There are features that are based on the server doing the heavy lifting (permissions, travel mode, account recovery, backups, item history) and they are not available in the standalone mode.
1Password does not care about loyal users who have been there since the beginning. They care about getting new subscriptions. Fair enough, I'll just take my business elsewhere.
I’m sorry we’ve made you feel that way. What is it that causes these feelings for you? I certainly won’t deny that we feel strongly that for the vast majority of customers membership is going to provide the best experience, and so that is primarily what we talk about. But we’ve done a fair bit of work to keep standalone vaults and licensing.
With all these subscription-only apps that are proliferating, I am curious how many enterprising app developers would be interested in making and marketing "cloudless" apps that rely on up-front high prices for revenue, but neverending free updates (mostly bug fixes, I would hope). With GDPR, this seems like it would be actually be easier to deliver.
Of course growth numbers may suck, given how hard it is to make it for any app these days. Long-term growth would probably actually not be sustainable because if it blows up, there is no additional revenue down the road from lack of subscription, and also no network effects to power exponential growth in terms of market share. As far as I can tell, if you're not going to do subscription, there's no way to force users to pay to upgrade to a new version (new features) in the Apple App Store, not sure about Google Play. Your only option is to maybe create a new separate app that's able to import data from the old app, but that seems tacky to me. So, this really wouldn't be a big long-term play at all. But I imagine that there must be short-term markets out there willing to pay for apps that don't keep their data and usage hostage.
I'm myself thinking of making an app like this for budget tracking, just because I haven't found any out there these days that don't require neverending subscriptions and also fit my unique needs. Cloudless is also fine for me, as my phone is storage enough, or if it isn't enough, maybe use my iCloud storage, Dropbox storage, Google Drive, OneDrive, etc for holding the data? Besides that, it'll finally give me the kick in the behind I need to finally learn Swift, which I've been meaning to do for a while. Alas, I imagine cost of customer acquisition may be too high to make even a short-term profit.
So... would this just be a small project for me to prove I can learn Swift and show future employers that I can make smartphone apps too? Or is there actually a real business here and in so many other niches because some people hate being locked into subscription fees? Curious if anyone else has some thoughts.
> I'm myself thinking of making an app like this for budget tracking, just because I haven't found any out there these days that don't require neverending subscriptions and also fit my unique needs.
Did you try GnuCash? It's not user friendly but a friend of mine swears by it.
I moved from GnuCash to hledger. And while I did use both for the 26 bills a year I write as a contractor, I also had all my personal finance in both. Expenses are more like 12 or 4 (the big ones) a month and control was really necessary.
What you'll like about hledger and legerCLI is a) the undo function of your favourite text editor and b) separate files that you can include into a master c) awesome reports on the terminal.
Target user will also be my wife who would really love a super user friendly app. Figure it'd be a good test of my design skills also. I've really only made enterprise stuff in the past where good UI was not really paramount, as long as it was usable. Would love to get better at that too. So this is really just an exercise in my mind at the moment, nothing more.
This article is not about subscription only apps. 1password is available both as a standalone app and a subscription based one. But on the Apple app store they decided to offer only the subscription variant because of apples restrictions.
Right, I believe that jives with my point about how this philosophy of app deployment doesn't make for a good long-term business. I guess their line of thinking is the same as mine, but they come to a different conclusion because they have long-term concerns to think about.
I think this illustrates that apple's app store only serves apple's interests in the long term. If I happen to buy and use any Apple product, I'll go out of my way to avoid apple's supported methods to pay for my software.
Ha, I've started a budget tracking (more like forcasting) app two weeks ago. Rails and mongodb and will be a subscription app.
Have a look at hledger and ledgerCLI, the former has a lot of its functions in an API and you could thinker about using that as a base for a nice UI in something that is not haskell.
" I am curious how many enterprising app developers would be interested in making and marketing "cloudless" apps that rely on up-front high prices for revenue, but neverending free updates (mostly bug fixes, I would hope). "
One of the biggest reasons that subscriptions are proliferating is because it's really hard to make money with the old model. People don't want to pay large up front prices.
"As far as I can tell, if you're not going to do subscription, there's no way to force users to pay to upgrade to a new version (new features) in the Apple App Store, not sure about Google Play."
You can put a V2 in the store, and stop updating the V1. It's a terrible solution, but it's as good as it's gonna get.
It should be built into the initial price. And perpetual is unrealistic, but 10 years is not.
Microsoft provides 5 years of Mainstream Support and 5 years of Extended Support at no additional cost (cost is built into the initial license fee).
Heck, I would more trust software that says 10 years of garunteed support rather than lifetime support. Too many companies fudge the meaning of "lifetime", and 10 years blows Google's 2 + 1 years of Android support out of the water.
there's a huge difference between supporting the version that they sold you for a specific version of ios and writing a new version to work with future changes to ios (which they don't in any way control)
They also sell it with a perpetual license. I own licenses for Office 2003, 2007, 2013, and 2016.
(Office 2016 works well on Linux with Crossover. Just bought a Crossover lifetime license. Crossover has a decent subscription/license working - subscription is for updates, you can continue using indefinately if you stop paying. Although it is a little expensive.)
10 years is a long time. Over its lifetime, Apple has changed the Mac's CPU architecture every 10 years. (They've been on Intel for 11 years now, the longest of any, but there's been rumors of another migration for a couple years now.) Needing to support Mac software for 10 years, then, means supporting your users through an architecture change.
There's probably not much platform-specific code in a password manager, but what are the odds it'll work perfectly under their next emulator, or that you can take such an old codebase and just recompile? 10 years ago, the old "pbproj" format was still supported, but the last Xcode that could open them was Xcode 3 (requires OS X 10.5 or 10.6).
Less than 10 years passed between the last Apple IIe sold by Apple and the first PowerMac G5. Or the last Newton to the first iPhone. Or the original Apple I to the Macintosh II. That timescale has big generational changes, and I don't agree that it's realistic for third-party developers to support software that long at no extra cost.
I made the mistake, years ago, of selling perpetually licensed desktop software with free updates - the economics really don't work, and it's a mistake I haven't made since.
But Windows support is limited to security and bug fixes, not feature updates. Not quite the same thing as getting a free upgrade to every major version of an application.
While I could understand people being upset about this, I pay for a 1password family subscription. It really is a terrific investment. As far as subscription services go it's about the best bang for my buck that I get. A sustainable service model is important for something I rely on so much - especially something that needs to keep on security lockdown.
Also makes it easy for the family to share hulu, netflix, whatnot.
I just switched over as a long time standalone user, and I completely agree. The 1Password Families subscription provides a tremendous amount of value and the product just keeps getting better.
Probably nothing other than ease of use, but the old model isn't part of the equation for me. 5 bucks a month for my whole family to have good password security practices, and for 1password to sustain continuous updates, is a great deal.
Something as critical as "password infrastructure" should absolutely never be a subscription model. Pay software, sure. But by no means should anybody other than you have the ability to refuse access, especially some company where you are nothing but a $5/month number.
I would be more forgiving if the subscription was for value-added features, like dynamic syncing, or remote encrypted storage. But it ain't.
If remote services were an add-on, and nonpayment left your clients still able to use the program, I see no issue. That's not what happens. You're locked out of all your stuff on nonpayment for the "subscription".
This trend of subscription-ifying is horrifying. It's turning users into digital sharecroppers, for a guaranteed line of money. And 'easy-to-import, hard-to-export' is the modus operandi for these companies.
Sure, I'll take the karma hit. I already have with the prior post here. Evidently, people seem on the most part OK with allowing their personal data be trapped behind subscription paywalls... Well, they're OK with it until they're not.
EDIT: Lets make this crystal-clear what my complaint is:
> 1Password 7 from the Mac App Store will only support our hosted service, as that’s what you’re purchasing with a 1Password membership. If you install from our website, you’ll have to option to use a standalone vault synced via iCloud if you purchase a standalone license, or use our hosted service if you purchase a 1Password membership.
No Pay, Forget to Pay, can't afford == FUCKED.
Long story short, they hold your data hostage for the "New and Improved Business Plan".
At first, they're not a monopoly, people who worry about that could easily use other open-source and probably less convenient solution.
Secondly, after the subscription ends the apps simply go into read-only mode. You still have access and can export all of your passwords.
We may argue about it but the most expensive solutions are still the most consumer-friendly.
Your data is yours. Even if you cancel your subscription and your account is frozen, you can still sign in to
1Password.com or in the apps to view and export your data.
Dynamic syncing and remote encrypted storage is exactly what 1password subscription gives you - I add something and it's available on all my devices right away (or my family's devices if I'm sharing it). There are tons of open source options out there if you're not looking for a paid/hosted option.
I wonder if it's so much better than for example Bitwarden for families, which is $1/month. (https://bitwarden.com )
Also, the switch to the "1password cloud", instead of the already freely available iCloud/Google Cloud/Dropbox etc, just seems like a move to make people believe their expensive subscription are justified.
There was absolutely no demand for a "1password cloud".
This entire push to subscription-hell makes me sick...
(i've had 1Password paid versions, OSX & iOS, for like 7 years btw.)
If you look at 1Password features, a lot of them are simply not feasible to implement without having a server-side component. Most of them revolve around sharing, permissions, automatic backups, account recovery, 2FA, etc.
Vault sharing is simply impossible with iCloud. Sharing with Dropbox requires manual set up of shared folders.
This is a very good point that most people fail to understand. We get frequent demands to add 2FA to standalone vaults... the best we can do is try to explain.
I hate subscription models but with 1PW 7 I would have to pay +40 € for each the Mac and the Windows version and still have not access to new features like the travel mode or the CLI client.
AgileBits seems to be an honest company and they went the extra mile to backport some new features (TOTP) to their dated 1PW 4 codebase. I will give them the benefit of the doubt and try their subscription and should they ever turn 'evil', I know that alternatives like Bitwarden or Enpass are available and ready to import my 1PW vault.
I at least partly blame Apple and the MAS being such piece of shit for accelerating some of the sub trends we're seeing on the Mac now. It's really such a genuine shame, because in principle the MAS really could be an excellent idea, a way to unify and simplify a pain point of Mac use and boost security at a few levels without a need to alienate anyone or not support anything. Instead Apple had to make it an artificially pointlessly limited collection of tradeoffs and mediocrity.
In particular AgileBits is right about the missing upgrade pricing system really being a bummer. To this day Apple's decision to remove that remains one of the most perplexing decisions of anything they did with the MAS (or iOS App Store for that matter). The basic idea of paying just for marginal value added since original purchase whereas new purchasers are paying for the whole package from zero is an efficient, sensible and sustainable one that has supported the software industry well since the very beginning. Ongoing support of software costs money, particularly when Apple has made it another principle of theirs to be aggressive about pushing the platform forward vs backwards compatibility. No upgrades (or volume discounts or anything else) is still such a mind blowingly stupid decision in every respect. It's forced developers to make some tough choices unnecessarily, and IAP and subs are one way to go at it.
I at least partly blame Apple and the MAS being such piece of shit for accelerating some of the sub trends we're seeing on the Mac now. It's really such a genuine shame, because in principle the MAS really could be an excellent idea, a way to unify and simplify a pain point of Mac use and boost security at a few levels without a need to alienate anyone or not support anything.
I agree. Many of the applications that have moved out of the app store (e.g. Dash) have also ditched sandboxing.
Going back to the situation where every application can read your whole home directory is a large regression.
(Of course, non-MAS apps can also be sandboxed, but many developers do not do it.)
I remember when developers gathered at one point and submitted complaints in unison about the sorry state of Bug Reporter (rdar) at the time. I never heard if Apple responded to this directly but the tool did receive an update around the same time. Developers need to rally again, e.g. submitting the same rdar from 400,000 different people, on the topic of App Stores.
So remember when 1Password claimed it was superior to LastPass for only requiring you to pay a one-time fee and not storing all of your stuff in the cloud?
I get that these moves make people nervous, and rightfully so. But as it stands every version of 1Password in active development (not including maintenance mode):
* Can be licensed standalone.
* Supports local & Dropbox vaults.
* Was released within the last year, actively supporting those features.
The only feature they’ve actually killed off (by not baking into future clients) is WLAN sync. This is a regression for some, but personally I always found it super impractical.
I agree that how they are going about this doesn’t inspire confidence that these features will remain in the product, but to some extent it does.
While they downplay the hell out of it, 1Password 6 for Windows was a ground up rewrite that ditched local vaults and standalone licensing. Those features were reintroduced in 1Password 7 for Windows, which is a pretty big backtrack for them and requires renewed development effort.
AgileBits doesn’t always make the right decision. They develop opinionated software, like most good developers. However, just like the MAS-only decision they made with 1Password 4 and stood by for some time, eventually they do right by their customers.
1Password 7 for Windows is a great example of that. As much as they would love to go cloud only, they heard the feedback and brought back those two key features. At this point, I can’t expect much more than that.
I moved to LastPass the moment Agile Bits decided to not support its (non subscription) 1Password paying customers in having a web access to the vault.
I had bought all 1Password versions + updates (Windows, Android, Mac, iOS) which put me well above $100. One day I simply couldn't use 1Password online, which I relied on for Chrome OS use. Dropbox decided, rightfully, that the public folder shouldn't be used as a static web server, which is what 1Password used as online vaults.
There was a long discussion in Agile Bits' forums about this issue. Agile Bits argued that it wasn't its responsibility to solve this since it was a Dropbox decision and its users could still store and sync the online vault manually on their own servers. I argued that losing automatic sync rendered the feature pretty much useless.
In any case, Agile Bits could have transitioned its users to the subscription model by either giving them subscription time or by offering an alternative to the Dropbox public folder, but it decided that its customers were not worth the effort.
I had a lot of respect for Agile Bits and 1Password, but this was a crappy way to treat its customers, specially considering 1Password was not a cheap product.
LastPass is not as elegant, but I'm happy with it.
How many customers read your blog? That post has 225 comments. From that base, 90 people expressing interest in a feature sounds HUGE.
I don't care about that feature... but this HN thread is the first I'd noticed that 1Password 7 for Windows actually exists and finally brings back local vault support. I care very much about that. I'd have liked to know about that the minute a public beta landed. But... I spend approximately 0 minutes a day thinking about ways I could better engage with AgileBits.
Maybe y'all could spare some minutes to figure out how to better engage with me, a customer who gave you some money 3+ years ago and has hardly heard a peep from you since.
Did you subscribe to our newsletter? We also sent an email about it.
Blog and newsletter are the only options we have to communicate with our customers. I agree that it is not enough and not everyone receives this information.
If you have an idea how we can make it better, please let me know!
That is a real challenge. On one hand we love talking about 1Passsword and what we’re working on. On the other hand...
1) We often don’t even have contact details for customers (e.x. App Store purchases)
2) When we do have such contact details they may have only been given for the purpose of completing a transaction, and did not agree to receive a newsletter or ongoing communications
3) Even when none of the above is a barrier it is very time intensive to send a newsletter. Not only does it require a fair bit of time to craft but the volume of inflows to our customer support team after sending a newsletter are huge.
I understand and agree with your position that putting the onus of keeping up on what is happening at AgileBits on the customer is no solution, but we do have to balance the above considerations. We’ll continue to look for ways we can do better.
Although it's been said that they will continue supporting licenses through their website, they have made this feature _extremely_ difficult to find ever since introducing subscriptions. I've been a loyal user of 1Password for a long time, and I think it's great software. I use it on both my Macs, as well as on my iOS devices.
However, hiding the non-subscription feature is silly. I do not wish to add yet another subscription (especially something so crucial as my what manages my passwords; I need [edit] it to work, no questions asked), and I would be more than happy to purchase a new license for 1Password 7.
I agree they are burying the hell out of it, but as it stands licenses for 1Password 7 (which is still in beta on Mac & Windows) can only be purchased from within the client, as they want to test the order flow which was rebuilt in this version.
The Windows version of 1Password 7 still can’t be licensed, they haven’t built that part yet. The Mac version however can be purchased, and if you plan on sticking with it I would do so now, as the price will be much higher in the near future. Right now it’s being offered at 50% off.
I just went through this - there's a tiny "downloads" link at the bottom of their page that takes you to https://1password.com/downloads/
I just went through this. Install v7, open it, unlock your vault, and it'll prompt you to try a subscription, with a tiny option below to just buy a license.
I feel the same way and I'm starting to look towards alternatives. Despite having bought (or had bought for me, at various jobs) somewhere between 10 and 15 individual licenses, 1Password won't ever get another dime from me after the way they've treated non-subscription customers. In addition to making it confusing to use my license, the command-line doesn't work at all without a subscription and now other software that integrates with 1Password is being made subscription only.
Like you, I would have happily done a paid upgrade to 1Password 7, but a subscription to access my passwords is a non-starter. And after having been made to feel like a second-class citizen for so long, they've burned any good will I had for them and I'm done buying anything from them.
> I feel the same way and I'm starting to look towards alternatives.
Enpass[0] is worth a look. Free on desktop, one-time fee on Mobile, sync via the cloud provider of your choice. Also available for Linux, which is what drew me to it.
I've been very happy with bitwarden. It's free to use (and open source if you want to self host). They have a 10 USD/year subscription if you care to some premium features and/or supporting the company.
As a free user I've contacted their support twice and they replied within minutes.
I thought Bitwarden was super cool until I realized that the self-hosted version still phones home to their servers. Not to say that you couldn't fix that, I mean, the source is all available.
But shamefully, as it stands, "self hosted" for Bitwarden really means "host on your server, with our server's permission"
Could you give me some details on what we've done to make you feel like a second-class citizen? I'm sorry if we've made you feel that way, it certainly isn't our intent but clearly we've done something that hasn't sat well with you.
Licenses aren't going away and we are definitely offering them for version 7. There are a variety of new features that both license and subscription users will see in version 7 as well.
The command line tool was made possible because our server component was written in Go and so we had a great deal of the work done as the command line tool is also written in Go. So there's a great deal of shared code there.
The original intent of the CLI was to allow administrators to automate the creation and deletion of users and vaults. They do this type of stuff all the time and having a tool accessible to them for this purpose was a goal of ours. It has the ability alter items and all that but I think for the most part it's used as an admin tool more than anything. Very little of this applies to the way the standalone vaults work.
Either way, I'd love to understand more about what we did to wrong you so I can pass that information along to the teams that need to see it.
Sorry I missed your message from a couple of days ago, but in case you read this:
The feeling of being a second-class citizen comes from recently purchasing a new computer and the process of getting 1password configured.
- First, the webpage. The 'Try it free', 'pricing' and 'get started' links all go to a sign-up page that makes no mention of the non-subscription option. To download the software, I had to find the little 'download' link in the footer of the page. Given that it's still possible to signup for the subscription service after downloading, I'd like to see a more prominent 'download' to both support people like me who have an existing license and people who want to install first and sign-up second.
- Second, there's the experience when first starting the app. It actually took me about 30 seconds to figure out how to connect it to my existing vault that I keep in Dropbox. The sign-up flow is so prominent. It may have been different if I'd installed my license before connecting my vault, but I keep my license in my vault, so that's a bit of a chicken-and-egg problem.
- Third, on my new computer I discovered the Station app, which seems like a cool way to separate my persistent, always open tabs from my normal browser tabs. It has 1Password integration, but uses the CLI client to accomplish that, which means I'm out of luck and stuck having to copy-paste my password every time GMail wants to reverify. Adding support for non-subscription to the CLI would mean a lot since it's used to integrate with other apps.
Alternately, if you'd like to publish developer documentation on the native message protocol used by the Chrome extension, I'm happy to write code myself. I've wanted a modern version of http://sudolikeaboss.com for a while, but reverse engineering your protocol crosses my not-worth-the-effort boundary.
None of this is major, but it's all the little things that contribute to the feeling of being second-class in the eyes of AgileBits.
Regarding your first point. I've filed this feedback to our team in charge of the 1Password.com page. I don't have much more than that right now but I generally agree with you. There are probably reasons for why we focus this a bit differently... Notably, if I had to guess, that paying through IAP (which is how they'd likely end up paying if they sign up in app) costs us a significant amount more and offers far less flexibility. Just one potential reason I think.
For the second. We've rewritten this welcome screen multiple times... turns out getting it right is incredibly difficult. I think we've gone through something like 50 different variations of this single pane now. I honestly don't have anything on in mind that I can share here.. it's both frustrating for us because we know people are confused by it, but we also aren't sure how else we can present that information that's going to be more clear. It's always a teeter totter, trade one thing for something else, but we lose something as well. I do appreciate you commenting on this though, I'll pass it along to the rest of the team as well.
> We have to advise you to never enter your 1Password Master Password into anything that isn’t 1Password. We aren’t casting aspersions on the integrity or competence of any developers, but we simply can’t advise otherwise.
So our general stance here is, you really shouldn't enter your Master Password/Secret Key into third party apps. We can't vouch for it and you're basically giving Station full access to your data doing this. Entering it into the CLI directly is great, but.. Station is gaining access to this information which is the issue we generally have with suggesting this type of thing.
Adding support for standalone vaults to our CLI is... difficult. The 1Password.com server is written in Go. As is the CLI. We were able to make the CLI in super fast form because we could piggy back on the code we have for the server, move a couple modules over to a new project, write some glue, wah-la. The CLI also started as a tool for management of accounts... think adding users, deleting users, adding vaults, granting access, etc. Admin type stuff. Literally none of this applies to standalone vaults.
At best we could write a CLI (separately) as part of the 1Password app that is in Objective-C/Swift, since we could piggy back on existing libraries we have in 1Password for Mac/iOS. But I really don't see very many people needing this... would it be cool? Absolutely... but... I don't think there's this great demand for it.
Regarding sudolikeaboss, I think we'd ultimately like to see something like that again. But the way sudolikeaboss worked was incredibly hacky and it was bound to break because of this. We'll have to take a look at this for future updates, but I don't see sudolikeaboss coming back as a thing, perhaps we can do something internally though. There was simply no time for this for 7.0 though. But maybe it's a neat idea for 7.1 or 7.2... both of which have some already huge features planned.
So to kind of re-iterate a little bit. The CLI exists because it was super easy to glue pieces together from existing code. It's not like we set out to write this to stick it to anyone, we wrote it because we seen a demand for it by administrators who were on unix type systems and they wanted ways to admin their accounts. It gained some editing/using features as well but those came after. Interestingly the CLI talks directly to the server fo...
That way, software could integrate with 1Password by triggering 1Password to prompt the user for the master password, choose a password entry and send that data back to the application that triggered 1Password. That way, the master password is never sent to anything that isn't 1Password. This was the workflow of sudolikeaboss. The implementation of that, however, was hacky since it used a reverse engineered websocket connection behind the scenes. It would seem that the native messaging stuff is a little cleaner and would allow third-party apps to trigger 1Password in a way that, at most, a single password would ever be exposed.
I guess the ask would be to make that native messaging protocol that the Chrome extension uses a documented and stable thing. And since the 1Password application is used by both subscribers and licensees, that can become the preferred way for 3rd parties to integrate with 1Password in a way that users know only exposes individual passwords at the single point in time when they're used rather than the entire vault, for exactly the security reasons you mentioned.
BTW...as much as I've felt frustrated by some of the decisions AgileBits has made, in the few interactions I've had with people at your company, everyone has always been the above-and-beyond type, as you've exhibited here, so thank you for the effort to engage in this discussion, likely long after others have stopped reading this thread.
There are a few security related issues with how we handle the native messaging stuff.
There are two important things:
1. We check code signatures and compare them against what we know and expect.
2. The more we approve for this the more it feels like we're screening and supporting the ones we do approve.
We have opted to remove all browsers except those that are mainstream (Chrome, Firefox, Safari and Opera). I believe everything else has been removed. We also don't allow this to be disabled, for security reasons, as of recent versions.
sudolikeaboss would also require that we add their code signature to the app and it breaks the new rule we have on that.
If sudolikeaboss ever came back, it'd be a home grown solution internal from us. It's the only way we could make this work I think.
Security is really tough. We didn't want to start feeling like we had to screen all apps and vouch for them. It's a really slippery slope. Maybe we'll find other ways to accomplish this though. There are indeed some .. plans.. that might actually really impact this in the future! We'll have to see what comes from WWDC this year before we make next steps though.
And thanks for the kind words. I like hacker news, I hang out here and read stuff during my lunch and stuff, so it's a pleasure getting to converse with people here. :)
Most of the HN users reading this thread do understand the difference between licenses and subscriptions. It may seem strange but this is not the case for the vast majority of the users. We have customers emailing us about having a 1Password account/subscription since before 2015 (when we only had licenses).
There was a lot of confusion with this design because people simply had no idea what to choose. It is ridiculous but we had many hundreds of customers purchasing both.
The subscription is a better option for most of our users because it takes care of so many things:
- no need to purchase separately on every platform
- no need to learn the difference between iCloud and Dropbox sync, and why sharing is not possible with iCloud option
- no need to learn how to set up a shared Dropbox folder
- no need to worry about backups when your computer or phone dies
- and more
Many of our long-time customers still use licenses and are happy with the existing setup and we want to keep them happy. This is the main reason we keep the licenses going and releasing new version for Mac and Windows support for licenses and standalone vaults.
The standalone macOS app isn’t going to be much value to me if the iOS app requires a subscription though.
1Password accounts seem like a very attractive target for something like Stuxnet. I just can’t bring myself to put my trust in a corporation, given the history of pivots & acquisitions and subsequent licence changes & data repurposing.
The iOS application doesn't require a subscription to use. It works just fine as it always has with standalone vaults via iCloud or Dropbox (and WLAN from a desktop).
On iOS, scroll down the list, you'll see an option on the welcome screen to create a standalone vault. You're not on a subscription doing this.
Already have a vault synced to Dropbox or iCloud? Tap the requisite option on the welcome screen and it'll suck the data in from your sync source of choice. Again, no subscription required.
What is the future of dropbox sync between desktop and iOS? Am I right in assuming that since you keep only mentioning iCloud that it won't be possible? I can just decline to upgrade the desktop client, but I can't just choose to ignore updates to the iOS client.
Honestly, I will be happy if you continue to support licenses vs. subscriptions as an option + syncing with the cloud service of choice (I use iCloud). My use case is pretty simple. I don't need fancy integrations. I just want an easy to use solution that protects my passwords and enables me to use it across my Apple devices...which is what my (licensed) 1Password 6 does wonderfully for me now, across two Macs, my iPhone, and my iPad. For that feature set, I am willing to fork over for a new license at major versions. I just don't feel comfortable making my password management dependent on a subscription. Also, I would be more amenable to a subscription for a small amount for the iOS app (as that is more of a convenience than critical to my workflow; I use 1Password on the desktop much more frequently) so long as I can still purchase a license for my computers [edit] and have all the devices work together.
I switched over to Enpass (https://www.enpass.io/) not too long ago and it's been great. At the time (about 2 years ago), it had the best feature parity with 1Password and it's continually gotten better over time.
I have a family subscription of 1PW. I can easily share some password with my wife and our daughter is getting used to using a password manager before she's 10.
I totally empathize with those who refuse to use cloud/subscription services as, let's face it, there are a lot of bad actors doing crappy things with our data.
But for me 1Password seems like a small, honest company providing great quality service and software. I'm a happy customer.
> But for me 1Password seems like a small, honest company providing great quality service and software.
Yes, I imagine because they have carefully crafted that image through blog posts and impression management. They have over 70 employees to write a password manager. 70!
But that's a bit specious. There are not 70 software developers at AgileBits engaged in writing the code for the product. A business like AgileBits requires a lot more overhead than just software engineering.
We are actually more than 100 people now. A big part of our team is dedicated to customer support. After all there are over 15 mln 1Password users and we get several thousand emails per day. There are over 30,000 businesses using 1Password.
We have designer and development teams for Mac/iOS (Objective-C, Swift), Windows (C#, .NET), Android (Java, Kotlin), browser extensions (JavaScript), 1Password server (Go), 1Password web client (TypeScript, ReactJS), command-line client (Go), SCIM/LDAP integration (Go, Docker, Kubernetes), and a ton of other smaller projects.
There is a Security Team that does security reviews, works with BugCrowd researchers, and does SOC 2 compliance. DevOps team works with AWS and Google Cloud.
iCloud Keychain is pretty good, but it tragically fails in the followings cases:
* Any browser other than Safari.
* Apps that MacOS/iOS don't parse for password fields for some reasons so you can't generate a password right there — and it's a huge pain to add them manually, practically impossible on iOS.
* Cloud access (if you need your account and don't have any of your devices). Your Keychain is in the iCloud, but you can't access it from icloud.com
So Apple could easily make it much better but they haven't.
This just reminds me how excited I am for passwords to be replaced. We shouldn't need a third party application as an authentication shim for every service that we use. The high lock-in on password managers is also unnerving.
After using (and loving and having paid for) 1P for years, I moved over to Enpass a year or so ago. Their clients are not as good as 1P's, but I simply neither want a subscription based service (what happens if they are bought / go under), nor do I want my passwords to reside on their servers (encrypted or not).
There are at least two elements to software maintenance: one is adding truly new features, and the other is making stupid changes just to keep old features working as they always did (often due to platform or hardware changes, especially with Apple!).
I see Apple coughing up none of the costs that they create by regularly fiddling with their platforms and hardware in breaking ways, yet that is a big reason why software can’t be sensibly “bought once”. Now they’ve come up with a scheme where they not only don’t give developers discounts for maintaining software but actually take yet another cut.
Yes. I feel that, because of the currently constantly changing nature of hardware and software platforms, subscriptions are going to be the only way of sustaining a business. It’s no longer even software as a service, but software IS a service.
The only exceptions are situations where hardware and platforms change slowly or not at all. e.g. Single player video games (and even that is largely consoles), certain kinds of embedded, etc.
People are already becoming frustrated with all the subscriptions they have, though. People are “fine” with paying to maintain things like their home and car. The problem with software is that it doesn’t really “break” from use. Updating the platform and hardware around the software is what can break it. It would be like the pipes in your home are indestructible and never burst in winter, but they can explode when building codes update or the water treatment plant changes it’s equipment.
I hope that it's only a matter of time before people start turning their pitchforks at Apple, Microsoft, maybe Google et al who are the perpetrators of the majority of this platform fiddling that stops software from working.
> There are at least two elements to software maintenance: one is adding truly new features, and the other is making stupid changes just to keep old features working as they always did (often due to platform or hardware changes, especially with Apple!).
I'm OK with the model that VMware is using, at least on the Mac.
You buy version X, you have version X. Version X gets updates for some amount of time. Eventually, a Mac OS upgrade makes version X no longer work, so you have to pay an upgrade price to upgrade to version Y. There is no subscription, but there is regular income to the company to make the updates you describe.
I like that model, too, but at least for something like 1Password I can see two issues. You'll have people using older versions with possible security vulnerabilities. If you're using hosted passwords you have to deal with dealing with multiple versions of the client indefinitely (although, you'll probably have to deal with a bit of that anyway)
When you include the hosting service, having a subscription (since you're providing an ongoing service) makes perfect sense. In this case, so does also forcing the current version.
I agree that subscriptions make perfect sense for services (because servers, support, etc. cost money on a monthly basis), but the trend seems to be to create an arbitrary reliance on a hosted service as a way to justify subscriptions. Luckily 1Password hasn't totally gone that way yet, since they still offer standalone licenses for local vaults, but I feel like it's the direction they're going.
This is what this article is about. The App Store offers no mechanism for upgrade pricing, your only options are to 1. upgrade existing app (free for existing users) or 2. release a new app (full price for existing users).
I would be okay with the subscription plan if they would allow for a permanent license after the subscription ends. Something like what JetBrains did. I was going to drop using JB software until they added that feature, and now I am a happy ”subscriber.”
I feel what galls people is that we buyers have nothing to show after ending a subscription, especially if we are not using anything “servicey” about said subscription.
483 comments
[ 2.0 ms ] story [ 353 ms ] threadOn one hand, password managers in browsers are becoming nearly good enough to cover for 80% of my use cases, and most of the other 20% boil down to convenience (ease of pasting, updating, etc.)
I don't like the idea of being forced to move to a subscription on my Mac and on iOS for diminishing returns in feature improvements -- and I've been using 1Password for many years now, so the need to finance new features is something that I understand but have seen little return from.
By all means ensure you can sustain revenue, but beware of inflated subscription prices.
(I've been keeping tabs on alternatives for a while now, so I will likely not upgrade to 1Password 7)
At least in the case of 1password the rate isn’t usurious, but the biggest problem they have is due to a business decision to make the product dependent on a SaaS-like service delivery model.
It's not cheap but it works and afaik it's secure (esp with the Yubi).
What do you mean by "only sync using their back-end"?
Are you sure about this? My understanding is that they will support other places to sync, like iCloud, as in previous versions.
What. I'm using 1Password 7 with a standalone license. I installed the beta, paid the $40 it cost for a license, and it works fine with iCloud and Dropbox same as always, I moved right from 1Password 4 and the only change I did was to purposefully force a resync so that all shared keychains would be updated from the ancient format to the newer one (if you were on 1P6 that wouldn't be necessary).
I'm not a fan of their subscription efforts because I think it's actively subtracted from what they could have done for the standalone version, and I don't think they've been fully honest about it which absolutely rankles. They talk big about benefits but they don't actually acknowledge costs or the profit motive. Even so there is a really oddly high load of objectively, trivially disproved FUD swirling around these HN articles about them now and I don't fully understand why.
But my data shall be my data, again. I’m not paying for an app that I regularly have to buy an upgrade for and which doesn’t give me the opportunity to hold my data locally after explicitly having this as a selling proposition for many years.
Ben Woodruff
AgileBits
The subscription service changes the frequency at which you pay Agilebits; it does not mandate how you store your data. 1Password 7 continues to allow all the kinds of local/Dropbox/etc vaults that prior versions allowed.
If somebody at Agilebits is reading this thread: look around at these comments. The lack of clear information about local storage in the subscription model is causing massive levels of customer concern.
This reduces support and development load (no need to support local/Dropbox/Wifi sync with all its edge cases) and guarantees montly/yearly payments.
Both the standalone subscription and the local vault support have regularly been mentioned in announcements and updates for 1Password 7 from the start. My impression is that agilebits understands how important these options are to their users and have invested in keeping them around for the long-term.
If AgileBits was VC-funded then we would have to drop standalone vaults, no doubt. It is a good thing that we are not. We do care about our long-time customers and will provide standalone vaults for as long as there is demand for them. Just please do not ask us to make it a default option.
However, it would not be the best option for most of the customers. They would have to understand how to take care of local vaults, including syncing, backups, etc. It is really an advanced feature for very technical audience.
> 1Password 7 from the Mac App Store will only support our hosted service, as that’s what you’re purchasing with a 1Password membership. If you install from our website, you’ll have to option to use a standalone vault synced via iCloud if you purchase a standalone license, or use our hosted service if you purchase a 1Password membership.
> As it stands, though, how you purchase 1Password is intrinsically tied to where you store your vaults and how you sync them
This was directly in response to a question about the ability to continue using local vaults in 1Password 7, and it doesn't say that local vaults are an advanced feature, it says they will not be supported by people who buy a subscription.
If y'all just didn't mention the local vaults in most of the marketing, and then there was an "Advanced users only" section that said "however you pay us, you'll be able to keep using local vaults just like always", you'd solve a whole broad spectrum of the concerns you're seeing on this page.
I’m sorry for any confusion caused by the comment. Hopefully this clarifies.
Ben Woodruff
AgileBits
Their base software has an artificial limit in terms of number of users and number of 'collections', which goes contrary to the ethics of Free software.
I've not looked again recently but lastpass is the only thing I've found that fits those bills.
Seems to fit the bill a bit better. And might mean $12/year less though thats not a huge problem.
For people like me that already rent a VPS for their mail and website the marginal cost is $0 except for the time it would take for me to perform the installation and setup.
If the system is good and stable then the "cost" of the time that I would spend installing it on my server would be close to $0 when divided over the amount of time I use the software in the future.
No it doesn’t. Free software doesn’t have to be free: Even on the GPL page it’s written that it’s even ok to sell free software. It’s only unethical if you equate OSS to software communism, but that’s another topic.
So anything that encourages the user to either use the freemium, then either dive into the code or either pay, is ethically correct. After all, you can download their AGPL, knock the limit, and redistribute. At which point you’ll be a contributor and while you’re at it, you’ll probably make a few other improvements: it means effectively free for contributors, which is awesome. See, it articulates quite well gratis, contributors and funding.
It’s only designed to make enterprises pay, which is good because they can “donate” huge sums for good software, so it funds the open-source community quite well. And it retains the qualities of OSS: You know what you install, you’re not tied to the editor if he dies, and if they stop improving the software, a contributor can take over their code and become more famous. Win-win-win.
Like others here, I'll probably be reevaluating my choice when it feels like it's time to upgrade. For me, some of the open source solutions are perfect as far as the underlying storage format and sync technology, but lack good browser extensions that already understand all the quirks of various sites. That's the kind of thing that a commercial product can tend to do a better job at.
Personally i wouldn't want to store my passwords with the same company that creates the (encryption)software.
And i definitely wouldn't self-host (why burden yourself with the management of data-backups/updates/etc. when iCloud is available for free...)
While 1Password works better than the rest of the pack, they're not exactly a fountain of new, needed features.
It seems to need upgrading for each new version of OSX - but I still only use the features now that I used in 2010.
Source: https://blog.agilebits.com/2018/03/20/introducing-1password-...
This looked like a clear deprecation of their local vault support but their Mac and Android versions never dropped support for those. I don't know if AgileBits ever planned to drop that from the other versions but after some vocal feedback from their users they stated that local vaults will remain.
The upcoming 1 Password 7 is the first release after the rewrite to support local vaults again on Windows. (BTW, their previous Version 4 for Windows with local vaults was still supported during the 1 Password 6 timeline. Afair, they stopped to sell stand alone licences for those after a while.)
It's not ridiculous at all because it generally is the norm.
Roughly 10 dollars a year for a critical utility software isn't "fairly steep," and I also fail to understand how so many years of free updates imply any type of "reasonable" expectation of long term updates.
Unlike most of competing products, 1Password encrypts pretty much all information, including vault names, item titles, URLs, tags. It is easier to list what's not encrypted. It is also probably the only product using SRP.
Now check out what information is sent in plaintext or base64-encoded in other products.
Also I'm pretty confident the entire lastpass vault is encrypted locally as well.
"Hey your data is safe just because we have SOC 2 certification" -- that's not want you want to hear.
About vault being encrypted locally: https://hackernoon.com/psa-lastpass-does-not-encrypt-everyth...
As far as I'm concerned, AgileBits has gone well above and beyond what is reasonably expected in terms of providing long-term upgrades to existing users. For those people to now turn around and complain that they aren't also getting version 7 for free... frankly comes across as entitled and ridiculous.
Including perpetual upgrades for a one-time fee wouldn’t be a sustainable business model for us.
Ben Woodruff
AgileBits
(I use Spideroak to sync the DB across devices)
I use Syncthing to sync it among devices, it's open source and fairly simple to use(compared to other DIY cloud apps)
Yeah, but IIRC it doesn't on iOS? I dunno, it hasn't been a big pain point.
My solution has to use the Firefox password manager for low value things (like Hacker News), and manually c/p for the higher value (bank, retirement account, etc).
(Maybe I'm overly paranoid but I don't like to put high value passwords into the cloud)
WFIW I’m using a plain text file in an encrypted disk image, because I started before I found out about Keychain Access.app, and I never actually trusted third party apps for security reasons and possibly paranoia, so I can’t compare UX quality, but it is available in a form on the desktop.
iCloud keychain is a perfectly reasonable (and as a UI, probably better than anything else) password manager iff you use Safari as your main browser and all your other devices are Apple devices.
If you can live within the constraints of iCloud keychain (the Safari/Apple devices thing, don't need stuff like 'team sharing, etc) it's arguably a better solution than 1Password.
Because keepass files are cross platform. macOS, iOS, android and all the flavors of Linux support it.
I also strongly prefer having a locally stored password DB on the device rather than letting it sit in the cloud. (Even though I have an admittedly strong passphrase)
My setup uses iCloud, Box and Google Drive to sync the kdb.
So I hope this just means I’ll shell out $50 or so and be done for a few years? If so, then great.
There's also a Windows version now.
People were confused. A lot of them purchased both. Most of the population is different from technically savvy HN users.
> Those of you with a standalone license for version 6 will be prompted to subscribe or purchase a license when the beta first opens. Licenses will be available for $64.99 when we launch later this year, but are available now for only $39.99.
Then why use it? That seems like an important detail for a password manager.
But the push to the cloud versions gives me headache. I don’t want to sync using their cloud - I actually sync using a WiFi server. While it’s (still) possible to obtain the standalone versions, it’s difficult to find them. And I expect that in a few years, they’ll be gone completely.
I am looking into Bitwarden at the moment as a self-hosted alternative but I haven’t decided yet.
This part was super confusing to me until I dug deeper when a friend upgraded.
So the primary impact of switching from standalone license to subscription, if you're planning on using 1Password for a while, is that instead of paying a larger chunk of money every so often when they drop a new major version, you move to paying a flat couple bucks a month or larger chunk per year.
Especially in a world where they successfully convince everybody to pay a monthly subscription, the effect of losing every user who wants local vaults would be an immediate visible blow to their revenue stream.
Their goal in moving to subscription services seems less driven by simplicity and more with making that revenue stream more predictable. But whoever runs the marketing side of the house decided the best way to pitch the change was by saying how great the cloud hosting was, and looking around at these comments I hope they realize their error.
The move to their own "cloud" as the primary sync system pretty much ensures other sync methods will never get properly fixed. I wouldn't have recommended 1Pw to people looking for non-cloud sync in the past, and now I definitely wouldn't.
That said, I refuse to use cloud-stored browser-accessed password managers, and it's looking more and more like they're pushing for that to be the only option. Not there yet, but oh boy are they pushing it down into the deepest corners of the website.
> That said, I refuse to use cloud-stored browser-accessed password managers
There seems to be a disconnect here?
Ben Woodruff
AgileBits
Desktop app: I can stop updating, firewall the app, use offline, airgap a computer, I have many options for reducing my attack surface.
Website: I have literally no way of locking down a version, possible-but-I-haven't-seen-it to be notified of changes (but likely not block them), and it would be rather trivial for the site to ship new JS that simply uploads your password once entered.
Not that I think you are. I assume you'll approach that with the same level of care as you've given your apps (which has been fantastic). But I do think that you're a gigantic payout if someone successfully breaks in. Why should I throw my eggs into such a large, internet-connected basket?
---
For comparison, injecting a malicious update into the apps to do the equivalent of a trivial, invisible JS change means: 1) getting a change into the binary (maybe they brought their own tho), 2) breaking into your app-signing system which is hopefully among your most-secure locations[1], 3) distributing the app to both customers and employees with a visible update notification, and 4) not getting caught before I download it. For each app. Websites are far, far easier to take control of.
[1]: I'm not aware of any server-side security-oriented frontend-web stack which would mitigate this in the slightest. I hope there is though! I'd love to read up on it if anyone knows of one.
It is finicky! There are multiple components outside of 1Password control when you are using Dropbox, iCloud, or WiFi sync.
We do our best to find, troubleshoot, workaround these issues. We have built an entire Troubleshooting and Diagnostics utility just for that: https://support.1password.com/diagnostics/
For the majority of users sync with third-party services works well. However, there cases when it gets finicky.
I don't use any third-party services. I use what 1Pw calls "Folder" sync, as it's the only non-cloud method available. 1Pw on Mac #1 saves a binary file to disk, and 1Pw on Mac #2 loads that file from disk. There's no components here out of 1Pw's control. Sometimes, 1Pw simply doesn't write the file on Mac #1, as I can tell by the modification timestamp.
I ran 1PasswordTroubleshooting.app, and sent in the 400KB report it generated. The response I got from tech support mentioned nothing about what might have been found in that file (or what they expected to find, which could prevent data from getting from the application to the filesystem). They simply gave the usual spiel about restarting/upgrading.
One thing that is not clear to me is what happens with the subscription license if you go a long time without internet access. With the standalone license, it checks the validity of the license when I enter it, and then I'm good as far as I've been able to tell forever more.
If I take a laptop with a 1Password subscription, fully validated and synced, and spend 6 months with no internet access, will 1Password continue working?
Remember, 1Password is often used for more than just internet passwords, so wanting to use it with no internet access is not unreasonable.
I've been using this for years across multiple devices and O/S. A real lifesaver.
Yes. Obviously it won’t sync with your other devices until you restore connectivity.
Ben Woodruff
AgileBits
> 1Password 7 from the Mac App Store will only support our hosted service, as that’s what you’re purchasing with a 1Password membership. If you install from our website, you’ll have to option to use a standalone vault synced via iCloud if you purchase a standalone license, or use our hosted service if you purchase a 1Password membership.
> As it stands, though, how you purchase 1Password is intrinsically tied to where you store your vaults and how you sync them
I understand why they're subscription-only for the mac app store, as a way around its insane lack of pricing flexibility. Makes sense, fully support, etc. But they seem to be continually pushing the non-cloud options further and further away from visibility :|
I understand the attraction, from a software development standpoint it's much easier to make everything work well when you control the server and client software together.
Subscriptions will only support cloud sync, not local.
If you have a subscription you can create standalone vaults outside of your subscription and sync those using iCloud, Dropbox or WLAN sync if you wish.
This behaves the same in version 7 as it did in version 6.
Kyle
AgileBits
Kyle
AgileBits
Ben Woodruff
AgileBits
Assuming that's correct (since the blog post still strikes me as vague), the answer is clear in their reply: memberships are exclusively cloud, standalone licenses are exclusively local backups / sync.
I have no idea why they’ve decided to handle what they’ve called out elsewhere in this thread as an “advanced feature” that won’t be going away by lying about the feature not existing.
It seems so weird because their subscriptions work exactly how I’d want them to work, but all their public statements actively prevent people like me from knowing that.
It's completely ridiculous. And it's burning trust, in a fairly inherently distrustful crowd like you get when you're in the security / crypto field.
If you purchase a subscription you can create standalone vaults and sync them to Dropbox, iCloud, WLAN or Folder just as if you had purchased a license. You'll have both an account (which has vaults in it) and standalone local vaults that can be synced as above.
This is how it behaves in version 6 and nothing has changed with this in version 7.
So if you'd rather have a subscription AND just use standalone vaults you're welcome to do that.
Not however that this may not be true for Android or Windows. I'd have to double check with those teams as to how they do it but at least with regard to Apple platforms this is a viable option if you so choose.
I've brought this topic up internally and hope that we can all be on the same page. My suspicion is that someone from a non-Apple side of the company is answering these. It's tough because our Windows and Android apps are still trying to play catchup with Mac and iOS, so they may not do things that Mac and iOS do.
I do apologize for the confusion though. That said though you can take my answer and trust it. If you have questions though please reach out to our support and mention me specifically (Kyle) and they'll get you in touch with me.
Kyle
AgileBits
At least on Android it's fairly easy to make a new IME and just use my background dropbox syncer, so I have a backup plan if needed.
However if you have an active subscription to 1Password.com it will unlock the Pro features for that single standalone vault. So it behaves similarly to how 1Password for iOS does in this regard. The difference is that 1Password for iOS supports multiple vaults.
Hope that helps!
Kyle
AgileBits
But it has nice benefits as well, they have a Chrome/Firefox extension (1Password X) that goes with their cloud that works on Linux. Understandably, it would be harder for them to offer this on top of Dropbox or Wifi sync.
Also, syncing is never easy.
Cloud password systems are like running all your security-sensitive code in an Electron app - an impossibly large attack surface with many significant flaws in some of your most-sensitive use. It doesn't make sense if you care about security at all. At least extensions are moderately well sandboxed compared to websites (since it'd be trivial to ship new javascript from their site).
https://support.1password.com/1password-x-security/
Try building a password manager that doesn’t sync and let me know how sales go. :)
> Cloud password systems are like running all your security-sensitive code in an Electron app - an impossibly large attack surface with many significant flaws in some of your most-sensitive use. It doesn't make sense if you care about security at all. At least extensions are moderately well sandboxed compared to websites (since it'd be trivial to ship new javascript from their site).
You are correct in that the web browser is a very hostile environment. We're working to minimize what tasks need a web browser, and have already got it such that the entire sign-up flow can be completed in-app at least on iOS.
Ben Woodruff
AgileBits
Well... 1Password arguably doesn't sync (until the cloud stuff). It stores files on disk, dropbox syncs it behind the scenes. Given my backup size vs how often I change it: I honestly wouldn't care if it were one blob that were uploaded / downloaded at once for every change, rather than all the small pieces it does now (I assume this is to speed up sync (by a ton)? It's also a major source of sync conflicts that lose data, since dropbox will store both copies on conflict (minus bugs), so it's a horse apiece).
So it works pretty well, apparently. See also KeePass* and many other local-only password managers which people sync via scripts / dropbox / etc. They're doing fine, though 1P is dramatically better than the competition and I'm plenty happy paying for it.
They mentioned somewhere on their site (I don't remember exactly where...it might have been in an answer to a question on the forums) that one of the points of 1Password 7 is to bring the standalone versions up to parity with the subscription version.
Right now, standalone and subscription are essentially different products, with all new feature work going into the subscription product. With 1Password 7, they become essentially one product with different licensing options.
It sure didn't sound like they plan to get rid of standalone.
We always try to implement the new features for both standalone and subscription customers, when it is possible. There are features that are based on the server doing the heavy lifting (permissions, travel mode, account recovery, backups, item history) and they are not available in the standalone mode.
We do not make two different versions of the app.
Ben Woodruff
AgileBits
Of course growth numbers may suck, given how hard it is to make it for any app these days. Long-term growth would probably actually not be sustainable because if it blows up, there is no additional revenue down the road from lack of subscription, and also no network effects to power exponential growth in terms of market share. As far as I can tell, if you're not going to do subscription, there's no way to force users to pay to upgrade to a new version (new features) in the Apple App Store, not sure about Google Play. Your only option is to maybe create a new separate app that's able to import data from the old app, but that seems tacky to me. So, this really wouldn't be a big long-term play at all. But I imagine that there must be short-term markets out there willing to pay for apps that don't keep their data and usage hostage.
I'm myself thinking of making an app like this for budget tracking, just because I haven't found any out there these days that don't require neverending subscriptions and also fit my unique needs. Cloudless is also fine for me, as my phone is storage enough, or if it isn't enough, maybe use my iCloud storage, Dropbox storage, Google Drive, OneDrive, etc for holding the data? Besides that, it'll finally give me the kick in the behind I need to finally learn Swift, which I've been meaning to do for a while. Alas, I imagine cost of customer acquisition may be too high to make even a short-term profit.
So... would this just be a small project for me to prove I can learn Swift and show future employers that I can make smartphone apps too? Or is there actually a real business here and in so many other niches because some people hate being locked into subscription fees? Curious if anyone else has some thoughts.
Did you try GnuCash? It's not user friendly but a friend of mine swears by it.
https://www.gnucash.org/
What you'll like about hledger and legerCLI is a) the undo function of your favourite text editor and b) separate files that you can include into a master c) awesome reports on the terminal.
Have a look at hledger and ledgerCLI, the former has a lot of its functions in an API and you could thinker about using that as a base for a nice UI in something that is not haskell.
You might want to check this out too: https://github.com/firefly-iii/firefly-iii#introduction
One of the biggest reasons that subscriptions are proliferating is because it's really hard to make money with the old model. People don't want to pay large up front prices.
"As far as I can tell, if you're not going to do subscription, there's no way to force users to pay to upgrade to a new version (new features) in the Apple App Store, not sure about Google Play."
You can put a V2 in the store, and stop updating the V1. It's a terrible solution, but it's as good as it's gonna get.
I also don't want to pay for a upgrade just because apple upgraded the OS.
I now only buy mac software on Mac App Store.
Apps which I have not renewed include 1password, screenflow, textmate, vmware Fusion,
Paid Products I wish were on Mac App Store with free updates. Sublime, Paragon NTFS , printopia
Microsoft provides 5 years of Mainstream Support and 5 years of Extended Support at no additional cost (cost is built into the initial license fee).
Heck, I would more trust software that says 10 years of garunteed support rather than lifetime support. Too many companies fudge the meaning of "lifetime", and 10 years blows Google's 2 + 1 years of Android support out of the water.
That Apple makes previous versions of my installed software incompatible when I do upgrade should not be my problem.
(That said, I agree there is a problem here, and I think Apple should ultimately be the one who fixes it)
For Windows perhaps, but they sell Office as a yearly subscription.
(Office 2016 works well on Linux with Crossover. Just bought a Crossover lifetime license. Crossover has a decent subscription/license working - subscription is for updates, you can continue using indefinately if you stop paying. Although it is a little expensive.)
That mechanism is not built into the apple app store, which is why they cannot offer it.
There's probably not much platform-specific code in a password manager, but what are the odds it'll work perfectly under their next emulator, or that you can take such an old codebase and just recompile? 10 years ago, the old "pbproj" format was still supported, but the last Xcode that could open them was Xcode 3 (requires OS X 10.5 or 10.6).
Less than 10 years passed between the last Apple IIe sold by Apple and the first PowerMac G5. Or the last Newton to the first iPhone. Or the original Apple I to the Macintosh II. That timescale has big generational changes, and I don't agree that it's realistic for third-party developers to support software that long at no extra cost.
Then it's going to be very expensive.
I made the mistake, years ago, of selling perpetually licensed desktop software with free updates - the economics really don't work, and it's a mistake I haven't made since.
Why should you get free updates, though?
Also makes it easy for the family to share hulu, netflix, whatnot.
I would be more forgiving if the subscription was for value-added features, like dynamic syncing, or remote encrypted storage. But it ain't.
That’s a key component of a 1Password subscription, they host your vaults and handle annoying details like access control, etc.
This trend of subscription-ifying is horrifying. It's turning users into digital sharecroppers, for a guaranteed line of money. And 'easy-to-import, hard-to-export' is the modus operandi for these companies.
Sure, I'll take the karma hit. I already have with the prior post here. Evidently, people seem on the most part OK with allowing their personal data be trapped behind subscription paywalls... Well, they're OK with it until they're not.
EDIT: Lets make this crystal-clear what my complaint is:
> 1Password 7 from the Mac App Store will only support our hosted service, as that’s what you’re purchasing with a 1Password membership. If you install from our website, you’ll have to option to use a standalone vault synced via iCloud if you purchase a standalone license, or use our hosted service if you purchase a 1Password membership.
No Pay, Forget to Pay, can't afford == FUCKED.
Long story short, they hold your data hostage for the "New and Improved Business Plan".
We may argue about it but the most expensive solutions are still the most consumer-friendly.
From 1Password:
* Must simpler setup for sharing
* Permissions (read-only vaults, etc)
* Secret Key that is used in addition to the master password to better protect data stored in the cloud
* Account recovery (can be done by the family organizer for other family members if they forget their password or lose the secret key)
* Travel mode
* Automatic backups
* Individual item history
* Multifactor Authentication (TOTP)
* Mac, Windows, Android, and iOS apps included
* Support for Linix and Chromebooks with the new 1Password X extension.
In addition to that, sync is faster and more reliable. There is no worries about Dropbox/iCloud throttling when you set up a new device, etc.
1Password Teams and Business have additional features that build on top of that.
Also, the switch to the "1password cloud", instead of the already freely available iCloud/Google Cloud/Dropbox etc, just seems like a move to make people believe their expensive subscription are justified. There was absolutely no demand for a "1password cloud".
This entire push to subscription-hell makes me sick...
(i've had 1Password paid versions, OSX & iOS, for like 7 years btw.)
Vault sharing is simply impossible with iCloud. Sharing with Dropbox requires manual set up of shared folders.
Ben Woodruff
AgileBits
If you only want to use iCloud then you might be served better with a license.
I like that I don't need a Dropbox, Google Drive, iCloud, OneDrive, etc. subscription for 1Password to work. It's convenient.
AgileBits seems to be an honest company and they went the extra mile to backport some new features (TOTP) to their dated 1PW 4 codebase. I will give them the benefit of the doubt and try their subscription and should they ever turn 'evil', I know that alternatives like Bitwarden or Enpass are available and ready to import my 1PW vault.
In particular AgileBits is right about the missing upgrade pricing system really being a bummer. To this day Apple's decision to remove that remains one of the most perplexing decisions of anything they did with the MAS (or iOS App Store for that matter). The basic idea of paying just for marginal value added since original purchase whereas new purchasers are paying for the whole package from zero is an efficient, sensible and sustainable one that has supported the software industry well since the very beginning. Ongoing support of software costs money, particularly when Apple has made it another principle of theirs to be aggressive about pushing the platform forward vs backwards compatibility. No upgrades (or volume discounts or anything else) is still such a mind blowingly stupid decision in every respect. It's forced developers to make some tough choices unnecessarily, and IAP and subs are one way to go at it.
I agree. Many of the applications that have moved out of the app store (e.g. Dash) have also ditched sandboxing.
Going back to the situation where every application can read your whole home directory is a large regression.
(Of course, non-MAS apps can also be sandboxed, but many developers do not do it.)
Ben Wooodruff
AgileBits
Good times.
I get that these moves make people nervous, and rightfully so. But as it stands every version of 1Password in active development (not including maintenance mode):
* Can be licensed standalone.
* Supports local & Dropbox vaults.
* Was released within the last year, actively supporting those features.
The only feature they’ve actually killed off (by not baking into future clients) is WLAN sync. This is a regression for some, but personally I always found it super impractical.
I agree that how they are going about this doesn’t inspire confidence that these features will remain in the product, but to some extent it does.
While they downplay the hell out of it, 1Password 6 for Windows was a ground up rewrite that ditched local vaults and standalone licensing. Those features were reintroduced in 1Password 7 for Windows, which is a pretty big backtrack for them and requires renewed development effort.
AgileBits doesn’t always make the right decision. They develop opinionated software, like most good developers. However, just like the MAS-only decision they made with 1Password 4 and stood by for some time, eventually they do right by their customers.
1Password 7 for Windows is a great example of that. As much as they would love to go cloud only, they heard the feedback and brought back those two key features. At this point, I can’t expect much more than that.
This is incorrect. The command line client is subscription-only.
Ben Woodruff
AgileBits
Not in my experience.
I moved to LastPass the moment Agile Bits decided to not support its (non subscription) 1Password paying customers in having a web access to the vault.
I had bought all 1Password versions + updates (Windows, Android, Mac, iOS) which put me well above $100. One day I simply couldn't use 1Password online, which I relied on for Chrome OS use. Dropbox decided, rightfully, that the public folder shouldn't be used as a static web server, which is what 1Password used as online vaults.
There was a long discussion in Agile Bits' forums about this issue. Agile Bits argued that it wasn't its responsibility to solve this since it was a Dropbox decision and its users could still store and sync the online vault manually on their own servers. I argued that losing automatic sync rendered the feature pretty much useless.
In any case, Agile Bits could have transitioned its users to the subscription model by either giving them subscription time or by offering an alternative to the Dropbox public folder, but it decided that its customers were not worth the effort.
I had a lot of respect for Agile Bits and 1Password, but this was a crappy way to treat its customers, specially considering 1Password was not a cheap product.
LastPass is not as elegant, but I'm happy with it.
1Password for Windows is a full rewrite and the new codebase never had WLAN sync. We wanted to see if people really need it when we announced 1Password 7 for Windows: https://blog.agilebits.com/2018/03/20/introducing-1password-...
I think so far we had about 90 people expressing interest in it. For a product with over 15 mln customers, that is a very low number.
I don't care about that feature... but this HN thread is the first I'd noticed that 1Password 7 for Windows actually exists and finally brings back local vault support. I care very much about that. I'd have liked to know about that the minute a public beta landed. But... I spend approximately 0 minutes a day thinking about ways I could better engage with AgileBits.
Maybe y'all could spare some minutes to figure out how to better engage with me, a customer who gave you some money 3+ years ago and has hardly heard a peep from you since.
Blog and newsletter are the only options we have to communicate with our customers. I agree that it is not enough and not everyone receives this information.
If you have an idea how we can make it better, please let me know!
1) We often don’t even have contact details for customers (e.x. App Store purchases) 2) When we do have such contact details they may have only been given for the purpose of completing a transaction, and did not agree to receive a newsletter or ongoing communications 3) Even when none of the above is a barrier it is very time intensive to send a newsletter. Not only does it require a fair bit of time to craft but the volume of inflows to our customer support team after sending a newsletter are huge.
I understand and agree with your position that putting the onus of keeping up on what is happening at AgileBits on the customer is no solution, but we do have to balance the above considerations. We’ll continue to look for ways we can do better.
Ben Woodruff
AgileBits
It’s still available for the Mac client, but they’ve essentially said they won’t be supporting it in the future.
Ben Woodruff
AgileBits
However, hiding the non-subscription feature is silly. I do not wish to add yet another subscription (especially something so crucial as my what manages my passwords; I need [edit] it to work, no questions asked), and I would be more than happy to purchase a new license for 1Password 7.
The Windows version of 1Password 7 still can’t be licensed, they haven’t built that part yet. The Mac version however can be purchased, and if you plan on sticking with it I would do so now, as the price will be much higher in the near future. Right now it’s being offered at 50% off.
"Licenses will be available for $64.99 when we launch later this year, but are available now for only $39.99."
I just went through this. Install v7, open it, unlock your vault, and it'll prompt you to try a subscription, with a tiny option below to just buy a license.
Here are the license links:
https://1password.onfastspring.com/in-app/1password-7-for-wi...
https://1password.onfastspring.com/in-app/1password-7-for-ma...
Unfortunately however, 1Password 7 for Windows does not offer the WiFi Sync. There's more on that here: https://discussions.agilebits.com/discussion/87524/on-wlan-s...
Like you, I would have happily done a paid upgrade to 1Password 7, but a subscription to access my passwords is a non-starter. And after having been made to feel like a second-class citizen for so long, they've burned any good will I had for them and I'm done buying anything from them.
Enpass[0] is worth a look. Free on desktop, one-time fee on Mobile, sync via the cloud provider of your choice. Also available for Linux, which is what drew me to it.
[0] https://www.enpass.io/
As a free user I've contacted their support twice and they replied within minutes.
But shamefully, as it stands, "self hosted" for Bitwarden really means "host on your server, with our server's permission"
Reference (see "Installation Id/Key"): https://help.bitwarden.com/article/install-on-premise/
Could you give me some details on what we've done to make you feel like a second-class citizen? I'm sorry if we've made you feel that way, it certainly isn't our intent but clearly we've done something that hasn't sat well with you.
Licenses aren't going away and we are definitely offering them for version 7. There are a variety of new features that both license and subscription users will see in version 7 as well.
The command line tool was made possible because our server component was written in Go and so we had a great deal of the work done as the command line tool is also written in Go. So there's a great deal of shared code there.
The original intent of the CLI was to allow administrators to automate the creation and deletion of users and vaults. They do this type of stuff all the time and having a tool accessible to them for this purpose was a goal of ours. It has the ability alter items and all that but I think for the most part it's used as an admin tool more than anything. Very little of this applies to the way the standalone vaults work.
Either way, I'd love to understand more about what we did to wrong you so I can pass that information along to the teams that need to see it.
Thanks,
Kyle
AgileBits
The feeling of being a second-class citizen comes from recently purchasing a new computer and the process of getting 1password configured.
- First, the webpage. The 'Try it free', 'pricing' and 'get started' links all go to a sign-up page that makes no mention of the non-subscription option. To download the software, I had to find the little 'download' link in the footer of the page. Given that it's still possible to signup for the subscription service after downloading, I'd like to see a more prominent 'download' to both support people like me who have an existing license and people who want to install first and sign-up second.
- Second, there's the experience when first starting the app. It actually took me about 30 seconds to figure out how to connect it to my existing vault that I keep in Dropbox. The sign-up flow is so prominent. It may have been different if I'd installed my license before connecting my vault, but I keep my license in my vault, so that's a bit of a chicken-and-egg problem.
- Third, on my new computer I discovered the Station app, which seems like a cool way to separate my persistent, always open tabs from my normal browser tabs. It has 1Password integration, but uses the CLI client to accomplish that, which means I'm out of luck and stuck having to copy-paste my password every time GMail wants to reverify. Adding support for non-subscription to the CLI would mean a lot since it's used to integrate with other apps.
Alternately, if you'd like to publish developer documentation on the native message protocol used by the Chrome extension, I'm happy to write code myself. I've wanted a modern version of http://sudolikeaboss.com for a while, but reverse engineering your protocol crosses my not-worth-the-effort boundary.
None of this is major, but it's all the little things that contribute to the feeling of being second-class in the eyes of AgileBits.
Regarding your first point. I've filed this feedback to our team in charge of the 1Password.com page. I don't have much more than that right now but I generally agree with you. There are probably reasons for why we focus this a bit differently... Notably, if I had to guess, that paying through IAP (which is how they'd likely end up paying if they sign up in app) costs us a significant amount more and offers far less flexibility. Just one potential reason I think.
For the second. We've rewritten this welcome screen multiple times... turns out getting it right is incredibly difficult. I think we've gone through something like 50 different variations of this single pane now. I honestly don't have anything on in mind that I can share here.. it's both frustrating for us because we know people are confused by it, but we also aren't sure how else we can present that information that's going to be more clear. It's always a teeter totter, trade one thing for something else, but we lose something as well. I do appreciate you commenting on this though, I'll pass it along to the rest of the team as well.
Station is one we don't generally recommend using in this way... First the blog post where we talk about this general concept: https://blog.agilebits.com/2013/03/06/you-have-secrets-we-do...
Then the quote from it that matters most:
> We have to advise you to never enter your 1Password Master Password into anything that isn’t 1Password. We aren’t casting aspersions on the integrity or competence of any developers, but we simply can’t advise otherwise.
So our general stance here is, you really shouldn't enter your Master Password/Secret Key into third party apps. We can't vouch for it and you're basically giving Station full access to your data doing this. Entering it into the CLI directly is great, but.. Station is gaining access to this information which is the issue we generally have with suggesting this type of thing.
Adding support for standalone vaults to our CLI is... difficult. The 1Password.com server is written in Go. As is the CLI. We were able to make the CLI in super fast form because we could piggy back on the code we have for the server, move a couple modules over to a new project, write some glue, wah-la. The CLI also started as a tool for management of accounts... think adding users, deleting users, adding vaults, granting access, etc. Admin type stuff. Literally none of this applies to standalone vaults.
At best we could write a CLI (separately) as part of the 1Password app that is in Objective-C/Swift, since we could piggy back on existing libraries we have in 1Password for Mac/iOS. But I really don't see very many people needing this... would it be cool? Absolutely... but... I don't think there's this great demand for it.
Regarding sudolikeaboss, I think we'd ultimately like to see something like that again. But the way sudolikeaboss worked was incredibly hacky and it was bound to break because of this. We'll have to take a look at this for future updates, but I don't see sudolikeaboss coming back as a thing, perhaps we can do something internally though. There was simply no time for this for 7.0 though. But maybe it's a neat idea for 7.1 or 7.2... both of which have some already huge features planned.
So to kind of re-iterate a little bit. The CLI exists because it was super easy to glue pieces together from existing code. It's not like we set out to write this to stick it to anyone, we wrote it because we seen a demand for it by administrators who were on unix type systems and they wanted ways to admin their accounts. It gained some editing/using features as well but those came after. Interestingly the CLI talks directly to the server fo...
Correct me if I'm wrong, but couldn't you re-use the plumbing that you have for the Chrome extension? The blog post was here: https://blog.agilebits.com/2017/07/19/introducing-native-mes...
That way, software could integrate with 1Password by triggering 1Password to prompt the user for the master password, choose a password entry and send that data back to the application that triggered 1Password. That way, the master password is never sent to anything that isn't 1Password. This was the workflow of sudolikeaboss. The implementation of that, however, was hacky since it used a reverse engineered websocket connection behind the scenes. It would seem that the native messaging stuff is a little cleaner and would allow third-party apps to trigger 1Password in a way that, at most, a single password would ever be exposed.
I guess the ask would be to make that native messaging protocol that the Chrome extension uses a documented and stable thing. And since the 1Password application is used by both subscribers and licensees, that can become the preferred way for 3rd parties to integrate with 1Password in a way that users know only exposes individual passwords at the single point in time when they're used rather than the entire vault, for exactly the security reasons you mentioned.
BTW...as much as I've felt frustrated by some of the decisions AgileBits has made, in the few interactions I've had with people at your company, everyone has always been the above-and-beyond type, as you've exhibited here, so thank you for the effort to engage in this discussion, likely long after others have stopped reading this thread.
There are two important things:
1. We check code signatures and compare them against what we know and expect. 2. The more we approve for this the more it feels like we're screening and supporting the ones we do approve.
We have opted to remove all browsers except those that are mainstream (Chrome, Firefox, Safari and Opera). I believe everything else has been removed. We also don't allow this to be disabled, for security reasons, as of recent versions.
sudolikeaboss would also require that we add their code signature to the app and it breaks the new rule we have on that.
If sudolikeaboss ever came back, it'd be a home grown solution internal from us. It's the only way we could make this work I think.
Security is really tough. We didn't want to start feeling like we had to screen all apps and vouch for them. It's a really slippery slope. Maybe we'll find other ways to accomplish this though. There are indeed some .. plans.. that might actually really impact this in the future! We'll have to see what comes from WWDC this year before we make next steps though.
And thanks for the kind words. I like hacker news, I hang out here and read stuff during my lunch and stuff, so it's a pleasure getting to converse with people here. :)
Kyle
AgileBits
We originally started with offering both licenses and subscription as equal options. Here is how it looked: https://web.archive.org/web/20160420141241/https://1password...
There was a lot of confusion with this design because people simply had no idea what to choose. It is ridiculous but we had many hundreds of customers purchasing both.
The subscription is a better option for most of our users because it takes care of so many things:
- no need to purchase separately on every platform
- no need to learn the difference between iCloud and Dropbox sync, and why sharing is not possible with iCloud option
- no need to learn how to set up a shared Dropbox folder
- no need to worry about backups when your computer or phone dies
- and more
Many of our long-time customers still use licenses and are happy with the existing setup and we want to keep them happy. This is the main reason we keep the licenses going and releasing new version for Mac and Windows support for licenses and standalone vaults.
1Password accounts seem like a very attractive target for something like Stuxnet. I just can’t bring myself to put my trust in a corporation, given the history of pivots & acquisitions and subsequent licence changes & data repurposing.
On iOS, scroll down the list, you'll see an option on the welcome screen to create a standalone vault. You're not on a subscription doing this.
Already have a vault synced to Dropbox or iCloud? Tap the requisite option on the welcome screen and it'll suck the data in from your sync source of choice. Again, no subscription required.
Kyle
AgileBits
There are no plans to remove Dropbox support. Especially not after we spent an entirely non-trivial amount of time getting the SDK updated.
Kyle
AgileBits
Here are the license links:
https://1password.onfastspring.com/in-app/1password-7-for-wi...
https://1password.onfastspring.com/in-app/1password-7-for-ma...
I totally empathize with those who refuse to use cloud/subscription services as, let's face it, there are a lot of bad actors doing crappy things with our data.
But for me 1Password seems like a small, honest company providing great quality service and software. I'm a happy customer.
Yes, I imagine because they have carefully crafted that image through blog posts and impression management. They have over 70 employees to write a password manager. 70!
We have designer and development teams for Mac/iOS (Objective-C, Swift), Windows (C#, .NET), Android (Java, Kotlin), browser extensions (JavaScript), 1Password server (Go), 1Password web client (TypeScript, ReactJS), command-line client (Go), SCIM/LDAP integration (Go, Docker, Kubernetes), and a ton of other smaller projects.
There is a Security Team that does security reviews, works with BugCrowd researchers, and does SOC 2 compliance. DevOps team works with AWS and Google Cloud.
We want to do more. We are hiring :)
So Apple could easily make it much better but they haven't.
I see Apple coughing up none of the costs that they create by regularly fiddling with their platforms and hardware in breaking ways, yet that is a big reason why software can’t be sensibly “bought once”. Now they’ve come up with a scheme where they not only don’t give developers discounts for maintaining software but actually take yet another cut.
Don’t judge developers too harshly.
The only exceptions are situations where hardware and platforms change slowly or not at all. e.g. Single player video games (and even that is largely consoles), certain kinds of embedded, etc.
People are already becoming frustrated with all the subscriptions they have, though. People are “fine” with paying to maintain things like their home and car. The problem with software is that it doesn’t really “break” from use. Updating the platform and hardware around the software is what can break it. It would be like the pipes in your home are indestructible and never burst in winter, but they can explode when building codes update or the water treatment plant changes it’s equipment.
I'm OK with the model that VMware is using, at least on the Mac.
You buy version X, you have version X. Version X gets updates for some amount of time. Eventually, a Mac OS upgrade makes version X no longer work, so you have to pay an upgrade price to upgrade to version Y. There is no subscription, but there is regular income to the company to make the updates you describe.
I feel what galls people is that we buyers have nothing to show after ending a subscription, especially if we are not using anything “servicey” about said subscription.