Don't believe the 1Password FUD — here's what's really happening

And you STILL have versioning, backups and the ability to affect change on how secure your vaults are when you control your vault's location. None of that has changed.

You can still have local vaults under the sub license.

It's not often you see someone recommended to trust a third party with all of a users passwords.

You don't have to. You can still have local vaults. If you find it easier, you can use their cloud vault.

True. I guess my rant was off-base. Thanks for the correction.

Rene: With all due respect, this is not an accurate depiction at all and blesses the subscription model which is not necessarily the best nor way to go for all products. Lets start at the beginning. 1) Consumers bought a product license for $x. They like the features and decided it was right for them.
2) Consumers pass on some upgrade purchases as the features offered in new versions do not equate to value to those users.
3) Consumers eventually buy an upgrade or new license if/when the feature set is valuable enough to to them. However, under the subscription model you are forcing users to pay for updates and features that may have ZERO value to them. This is sadly the case with 1Password. The version I and my family use is more than adequate for our needs and we already pay for a cloud storage plan that is at least, if not more so, secure as AgileBits. Subscriptions will ONLY work in situations where there are frequent upgrades with features that most users will put value in and that fact is clear. Examples include MS Office, Adobe Apps, etc. And, in those cases, the subscription costs is a very small portion of buying a new license. Again, that is not the case here with 1Password. Agile Bits has really missed on this one.

What has Agile Bits missed? You still have exactly what you like.

Rene's subscription must be free. Otherwise, This is an embarressing article. As others have pointed out, 1Password was never free. I paid good money for licenses. Will not use a suscription based model. Lets see how long my license is supported before being forced to a subscription,.

I've always paid for 1Password and will always keep paying for it. It's what I do with every piece of software I want to stick around. (Also pay for Google Accounts.)

Never heard of 1password until I read this. Why would I put all of my passwords, credit card numbers, etc. into the hands of a single 3rd party? You might as well store passwords on your OneDrive or iCloud. Stupid. This is a disaster waiting to happen.

So you probably use the same password for everything and its most likely something simple with just an uppercase letter and a number. Or, you write down your passwords in a book, or even worse, in macOS Notes. You have no idea how this app works. Why not do a little research before making such a silly comment such as what you just made.

Or, like me, he uses a password manager that stores all passwords locally or on a shared drive under his care, custody, and control. Perhaps he uses an open-source one like KeePass, Padlock, or Passbolt. Leave commenting on this to those of us with more knowledge about computer security, because you're just making yourself look silly.

How is that different than configuring 1Password to store your vault on a local or shared drive under your care, custody and control?

I think that there's been a miscommunication. That's exactly what I do and what I am suggesting. One can use a password manager, and complex, unique passwords, without entrusting the storage of those passwords to a third party cloud service. The potential loss of this feature in future versions of 1Password is why so many of us are concerned.

Nope, not even close. My important passwords are quite complex and long, no words involved, just random-looking characters/numbers/specials. But they have meaning to me, and are easy to remember FOR ME. For throw away things - like here, gmail, yahoo mail, etc. - they are less complex, because I have nothing in the accounts to lose. You have no idea how my passwords work. Why not think a little before making such a silly comment as YOU just made.

Wow, a lot of nonsense. Did you people even read the article? They are not forcing anyone to do anything. First, you can still do what you've always done with them. Even in the next version. Considering their history, if people still want it I bet in version 8 you'll still be able to have the stand-alone verison. As for subscriptions, I normally am against the concept. But I'm stuck with Photoshop because I have no choice. But when I retire? I'm going to stop paying and buy the competition. There are several good alternatives to Photoshop out there for personal use. But I finally saw the benefit of 1Password's subscription and went with it after the free six month trial. Any security worries are unfounded. Because you do sync through their servers, but you also have a local version of your data, so the scenario portrayed above is not an accurate portrayal of the danger. Fact: Of all the password managers out there, 1Password is the only one I've heard of that has never been hacked. The other popular ones have been. Renee's article is accurate, and the ludicrous criticism here is out of line. You can disagree with him, but his reputation, and long history, deserves some respect and the petty pot shots taken at him here are just more examples of the ugly America we're coming to see more and more thanks to people without ethics and without shame running rampant everywhere we look.

Not only did I read the article, I read everything quoted by the article several days ago. You wrote: "Any security worries are unfounded. Because you do sync through their servers, but you also have a local version of your data..." That's like saying that your credit card number can't be stolen from them because you have a local copy of it in your wallet. You wrote: "But I finally saw the benefit of 1Password's subscription..." To you. It has no benefit to me (or to many others). It's simply a security risk, money sink, and potential failure point and target for a DDoS. You wrote: "Considering their history, if people still want it I bet in version 8 you'll still be able to have the stand-alone verison." What history? They sold a password manager as a standalone product for years, with many of us paying for multiple licenses, and now there's not even a place on their website to purchase it. You wrote: "the ugly America we're coming to see more and more thanks to people without ethics and without shame running rampant everywhere we look." People like you, when you personally attack others for daring to disagree with you. If you like the subscription model for 1Password, that's fine. But don't refer to more experienced and knowledgeable people's valid concerns as "ludicrous criticism" and "nonsense."

They have never been hacked. Does' t mean they can't be. But my point was about the local data is addressing the comment about someone hijacking the data on their servers meaning you have lost access to your data. That's not true. And you are incorrect about not being able to find their standalone version. Many people have. Yes, they could make it easier to find, but it's there. And their forums are full of links. Some people seem to expect to be spoon fed everything I suppose. As for the "personal attacks" I was criticizing people personally attacking Renee for telling the facts. They might not like them, but it's childish to react like he's some kind of shill because they didn't like what he wrote.

You wrote: "my point was about the local data is addressing the comment about someone hijacking the data on their servers meaning you have lost access to your data." You called it a 'security worry.' I'd call that an availability worry. You wrote: "And you are incorrect about not being able to find their standalone version. Many people have. " No, I am not incorrect. I wrote, correctly, that "now there's not even a place on their website to purchase it." Go to 1password.com. The links across the top are: Tour, Security, Families, Teams, Pricing, and Support. Under which one is there an option to purchase a standalone version? Their forums are not full of links. They are full of offers to conduct transactions through email. Ben, from AgileBits wrote "We're no longer marketing standalone licenses, and as such have removed the upgrade option from the webstore." You wrote: "Some people seem to expect to be spoon fed everything I suppose." And the personal attacks continue. I'm locally hosting the kind of services that you likely have to pay someone else to "spoon feed" to you.

"Fact: Of all the password managers out there, 1Password is the only one I've heard of that has never been hacked. The other popular ones have been."
It's generally a bad idea to present conjecture as fact...which is exactly what you just did. "only one I've heard of"
"You can disagree with him, but his reputation, and long history, deserves some respect and the petty pot shots taken at him here are just more examples of the ugly..."
Renee's reputation as a journalist is exactly what requires people to question him when he post a puff piece like this one. He is being questioned by people who also have long careers. Many of us have long careers in either IT security or one of it's peripheral fields. So, yes, the experts should question the journalist, especially when it's clear the journalist never bothered to question the experts.
Renee's stance is in direct opposition to many security experts with very long careers. But if you want to trust the guy who spends most of his days writing SEO optimized articles about a VERY broad range of articles over the people who spend their days, you know...actually working on security. Go right ahead!

He's being questioned by a bunch of random people on the Internet. You don't have a picture and a username of "subnetwork". I don't know whether he's right or wrong but he's well-known in Apple reporting. You're just a random person from the Internet commenting on the piece. So who should we listen to?

You are right, and that's the problem I have. He, as a well known writer, is putting out a puff piece rather than doing the actual reporting. You suggest that because you trust his reporting on Apple, you should also trust his reporting around security.
Me? I'm only an 18 year IT veteran. I'm a wireless network engineer, which as you might guess has a HUGE requirement for security. I'm easy enough to find online, but I won't spoon feed you puff pasty, I guarantee that!

And your a random person on the internet too...so what?

I think many of the security experts didn't have the full story, which is 1Password's fault, and rushed to make recommendations, which is their fault. I spent a few days looking at it before writing anything, which doesn't mean I got it right, but means I had time to try a lot of things and ask a lot of questions and, hopefully, provide a well informed, non-reactionary opinion.

I am glad we have people questioning Rene, and I am sure he is also. I too am struggling with his recommendation, and I am grateful that informed people who disagree with him are posting their concerns for me to consider. The point is that civility has disappeared on so much of the web that even well intentioned people let their passion get away from them and frame their arguments in box (perhaps subconsciously to give them benefit of the doubt) that if you disagree with them you lack ethics or morals, or are an *****. This is a great topic to keep at a high level of discourse. Thanks Rene for stimulating discussion on a topic that is important, and thanks for others who disagree taking the time to point out where they think Rene is missing issues.

This article provided no new information to me and it has done nothing to convince me that my concerns, and those of others, are unwarranted. It looks like AgileBits is unable to make the 1Password subscription service compelling enough to get people to voluntarily subscribe, so they have removed all obvious means of purchasing standalone 1Password licenses. Sure, you can get them for now via back-channel emails, but that reeks of something that is about as likely to be around in five years as Radio Shack. Rene quotes the AgileBits blog, which says "And you need not worry about 1Password 7 for Mac, either, as it will continue to support standalone vaults just like version 6 does today." i. What happens when version 7 no longer works due to a macOS upgrade and 1Password goes to version 8, which has no support for local vaults? ii. What will the pricing be for the standalone license for 1Password 7? How do we know that AgileBits won't drastically increase standalone license price to push people to subscriptions? What if your employer or their clients prohibit storing passwords on some other company's computer and the local vault storage option is gone? You want to tell the DoD that 1Password will be great for their SCIFs and that all they have to do is add Internet connections to their secure networks, including those on which they store TS/SCI SAP data? Also, it's not a monthly subscription fee. It says right on their web page that it is billed annually, in advance, so the 5 bucks/month for a family plan comes out to about 60 bucks all at once. The Terms of Service say that "All amounts paid are non-refundable." That sounds like a yearly subscription to me. It auto-renews unless you cancel -- and you don't know what the cost will be next year: "AgileBits, Inc., in its sole discretion and at any time, may modify the Subscription fees for the Subscriptions. Any Subscription fee change will become effective at the end of the then-current Billing Cycle." Do you really want all of your passwords, license keys, etc. to be subject to this clause: "We may terminate or suspend access to our Service immediately, without prior notice or liability, for any reason whatsoever"? I have a business Internet connection on which I host cloud storage, VPN, web/Wordpress servers, mail servers, SSH, and FTP. I don't need to pay AgileBits 60 bucks per year to store 5MB of data remotely for me, especially when I can put it on Dropbox for free if I choose to store my passwords on some third party cloud storage provider's disk drives. Because of all of the above, I am actively looking for a replacement for 1Password. I don't intend to be caught with my pants down when (not if) they decide to sunset non-subscription, local versions. P.S. I've paid for multiple 1Password licenses over a period of more than four years. I don't "expect everything to be free all the time" and I find that allegation from the article to be insulting,

The traditional software business has been shattered. Apps have become pop-culture. That makes it very tough for any app to survive unless it's not a business but a part of corporate marketing or data acquisition. At the same time, people want more and more apps, and it's not realistic to think most people can pay high prices or subscriptions for all of them. 1Password will do what it has to do to survive as an independent business that wants to continue producing a product. (LastPass was sold, by contrast.) It's up to every individual to decide if 1Password is valuable enough that it's worth the subscription. My sincere opinion is that most 1Password customers, especially families, will be better off with the new model, even if the idea offends them at first.

Thank you for your article and thoughtful reply. I largely agree with your point about 'app acquisition' (hoarding?). That said, 1Password's new approach seems to have combined all of the bad elements of monthly subscriptions with the high cost normally associated with a license purchase. Many families which are cash-strapped might be able to justify a five dollar per month expenditure, but aren't comfortable being hit with it as an annual, paid-in-advance, non-refundable, sixty dollar fee. If AgileBits wants to maximize the success of this new model, they should do the following: 1. Bill a monthly fee on a monthly basis. Don't advertise a monthly fee in a large font and then disclose in the fine print that customers are actually paying a non-refundable, annual fee that's 12 times as high. That just seems sleazy. 2. Guarantee to cap rates for customers who maintain continuous subscriptions. In other words, if you sign up at five dollars per month, you keep that rate, or pay the prevailing rate if lower, for so long as you maintain a continuous subscription. 3. Guarantee to provide then-current subscribers with licenses in perpetuity for 1Password (with local storage/sync) should AgileBits shut down their 1Password subscription service. Otherwise, what happens if they decide in, say, three years that they want to sunset 1Password because it's not profitable (enough) and move to some other product or service (e.g. an enterprise crypto-related service/product)? You wrote: "My sincere opinion is that most 1Password customers, especially families, will be better off with the new model, even if the idea offends them at first." Only if they sign up for it. If implemented, the three suggestions I made above make it much more likely that they will sign up for it. P.S. Sorry for the 'long form' dollar amounts, but the spam filter won't permit me to denote monetary amounts in a normal manner.

I think those are all great suggestions. There's a lot any company can do to mitigate the anxiety of transition. I hope the 1Password team is listening to and evaluating exactly this type of feedback. Cheers!

“To put it bluntly,” this really is an insulting article. To state that I’m having a “hard time seeing beyond the hear-and-now” is insulting. It is my responsibility to be concerned when changes are made to a cornerstone in my internet security system. I have yet to see an explanation of how I’m more secure by moving my passwords from local control to a central server, along with every other users passwords. The reason 1Password always beat LastPass is local control of password vaults. To imply that I expect everything “to be free all the time” is insulting. I’ve purchased 1Password multiple times; multiple single licenses, several family packs, licenses for relatives, and then again when 1Password became available on the App Store. I pay for software, especially “for something as important as security software.” “Change aversion” is appropriate for security software. Password managers go beyond mission critical they are literally the keys to the castle. If there is FUD it’s not the users fault, it’s AgileBits.

The article seems to fully embraced the companies line - anyone not doing so is is simply upset because "everything is expected to be free all the time" - this is rubbish - its not a free app anyway Saying that people who don't want to host their usernames, passwords, credit card details and more on a developers web site are simply people who "hate change and often have a hard time seeing beyond the hear-and-now" - is amazingly condescending at best. I would have expected a better balanced assessment of the situation from iMore... but then, apparently, I am one of stupid those people full of FUD. By the way....it might be worthwhile take a look at the Agilebits terms and conditions (Google it)- they seem pretty much at odds with the supposed absolute safety of the hosted model: "....The Service is provided on an “AS IS” and “AS AVAILABLE” basis. The Service is provided without warranties of any kind...." blah blah blah. I have purchased many copies for personal and my company use over the more than 10 years but no longer.

You can still use local vaults. I'll add that in bold to the article since it seems to be one of the primary concerns.

It's only in the last few days, after the Blog post you quoted in the article, that AB has tried to change its message. It's been months and months of toxic, condescending responses on the AB forum to concerned (pre-existing) customers like me. Suggest you take a look at the forum. Agile bits have repeatedly, in many many responses told customers "we're no longer marketing the standalone license offering"... "we are no longer recommending it for new customers" But: local vaults no longer supported in the current Windows version, there are currently no plans to bring that feature back. Travel mode is only in the hosted subscription version. Look, each to their own, if folk are happy to put their user names passwords, credit card detail, identity information on a developers outsourced server good luck to them. But that doesn't mean people who are reluctant / refuse are stupid.... and ABs decision to treat them, and me, as such doesn't work for me.

"1Password 6 and even 1Password 7 will continue to support standalone vaults." What about 1Password 8? While I'm no statement analysis expert, that sentence doesn't seem very reassuring.

Apple should make a password/information storage app of their own. I'm really surprised they haven't done this already. (the passwords stored thru Safari is not good enough)

They do....its called Keychain Access. You can store just about anything in there.

Thanks, I see that now on Mac with the Keychain app and I can add notes etc. But you can't access the notes on the iPhone. Apple should make keychain app for iOS and improve the app on all devices.

I won't use Keychain until Apple allows for master passwords. The idea of loaning someone my phone, tablet, or laptop and them having immediate access to my passwords and credit cards is appalling.

Agreed 100%. Can't imagine why this isn't an option you can turn on with all the security steps they have on KeyChain.

I don't want my password info stored in the cloud, no matter what Agile Bits says. This is just a way to increase cash flow - which I understand. I would rather pay $20, $40, $60 a year to keep the same setup I have currently with local storage. If they need more money, charge more for the program and for updates. I have no problem with that as I find the program extremely valuable. as it is currently set up

As iCloud Keychain gets better, I think 1Password is boxing themselves out here. The main reason why I like 1Password is local vaults. Well also iCloud Keychain seems to miss every 4th password entry, but in the latest codes, iCloud Keychain is getting much better. I know all about the difficulty of maintaining a profitable development team, but you never should go back on the one thing that makes you so excellent. 1Password = Local Security. I'd rather they increase the price for the updates or offer both subscription and perpetual license options.

It's the lack of master password or Touch ID auth that bothers me about iCloud Keychain. I want it to require re-auth when accessing passwords and credit cards.

Heh, I hope those aren't the only things that bother you about iCloud Keychain! That's one Apple 'feature' I won't be going anywhere near.

I believe the iOS app was free, but had some stuff locked up because my wife just installed it on hers and didn't pay for it. I think it Agilebits is moving away from standalone vaults, that will take away its appeal. I went with them because of local wifi sync. Felt it was safer than trusting the cloud. It just seems like time will tell.

It's hilarious how the majority comments below the linked article in AgileBits blog come from their own staff. Almost like a day in the life of Gwyneth Paltrow's Goop PR department.

I agree with @tavisio a vulnerability researcher at Google....."It's not as simple a topic as everyone wants it to be...and I'm sick of the toxic discussions" Zealots come from everywhere and personally attack anyone who voices a security concern. Insulting articles like this are typical of that approach - if you, Mr Customer, don't want to put all your usernames passwords credit cards etc up on the internet on a developers outsourced server farm then you Mr Customer, are objecting only because your too cheap to pay for software and you "hate change and often have a hard time seeing beyond the hear-and-now" Take a look at the 1Password forum and the toxic condescending responses customers get when they ask about standalone licences. This is NOT the company it once was. Existing customers were invested in this product, supported it for many years paying for multiple licenses and upgrades, recommending it to friends and co-workers. They are a bit upset to have that product pivot as it has.
There is only one reason AB would not offer BOTH standalone and hosted - "AgileBits is moving to a more sustainable business model"…. it ain't got nothing to do with customers. For me, I no longer use or recommend the software and wouldn't at any price - even if it was free.

You can still use local vaults.

"AgileBits is moving to a more sustainable business model"
And if you don't like it you
"hate change and often have a hard time seeing beyond the hear-and-now" Existing software still works, but that ain't the point mate, and I rather think you know that.

No, that is the point, mate :)

”To put it bluntly, AgileBits is moving to a more sustainable business model that will allow them to better develop and support 1Password now and into the future. It's ultimately better for customers too, but people hate change and often have a hard time seeing beyond the hear-and-now — even for something as important as security software.” This is a common theme: blaming the resistance to the subscription model on loud, angry customers who just hate change. Rene Ritchie does it and Jason Snell did the same thing (I had to remove the link because my comment was marked as spam): ”Still, AgileBits knows that a (loud, angry) portion of its customer base hates software subscriptions.” But the concerns are much more well grounded than that. One of the fears of the subscription model is that it will remove the motivation that drives developers to keep bringing new and improved features to their product. It's very easy to become lazy when the money is rolling in anyway. Rene Ritchie says it's ”ultimately better for customers too” but is that really true in reality? The recent discussion about Lightroom and Adobe (I had to remove the link because my comment was marked as spam) shows what might happen when a company switched to subscription model in reality: ”Also, the feature set in Lightroom has slowed to a crawl ever since Adobe locked us into a subscription. They swore up and down that the subscription model would allow them to make better improvements to products and consistently develop them over time. That is simply not factual. The list of significant features added to Lightroom in the last two entire years is barely one sentence long.”

I can hear AB now... we won't do that! As if.

I don't use Lightroom but I've been fine with Photoshop since Creative Cloud. I think updates trickle in and so you don't notice them as much as you did with the big releases? Updates can only slow when there's no competition and there seems to be good competition in the password manager space.

A subscription model is fine so long as you choose to use a service which requires server-side processing, such as a company's cloud computing system or whatever. The problem with Photoshop is that the product itself does not require any kind of server-side processing, which is evident with the fact that you have never needed an internet connection to use Photoshop. This is still the case, so all it boils down to is that it's a money grab, and it's a very bad practice. I no longer use Photoshop because of this and use Affinity Photo + other products instead, and I've moved from 1Password as well

As long as I have local vaults and don't need to move to the cloud, fine. A new version comes out, I pay, so not a problem. Forcing me to move to the cloud means that I go to another product. I pay for software I need or want and generally avoid free as that has a cost that will 'byte' you somehow.

I moved to 1P some time ago and absolutely love its security model,ease of use,browser intergration with Safari,and overall pricing structure. Security software,executed briliantly,that just makes my daily interfacing with digital and computers, that much more fun;with flow and finesse.

I got 1Password when I bought my MacBook in Jan 2009. I upgraded to a family licence on all platforms. I haven't upgraded since version 4. Last week I made the jump to the subscription so that I could stop using DropBox to sync and so that I could share more easily with my wife. I love the easy QR code setup and the safety of the printed doc to recover your account. Keep it locked in a safe place and your family can access your passwords if anything happens to you.

I moved to Enpass a long time ago - Enpass stores your passwords locally and can sync with your choice of cloud service should you wish to. It works like 1Password and looks very similar with browser plugins etc.. The desktop app is free and the mobile app costs $9.99 for a lifetime license. I'm just a happy end user.

Security experts on the side of local vaults championed 1Password. Those experts will naturally stop recommending and start criticising the app _vehemently_. It is not FUD: it's a valid argument. You can have subscriptions to an app that uses local storage. 1Password has chosen not to do that. They have abandoned supporters and foolishly think they can change the minds of informed individuals and experts. Yet all they need to do is announce subscriptions give you both and support will be restored.