Change is scary and FUD is deliberately scary, but often happy developers make for much better apps, and happier customers.
1Password, the well-known password manager app for macOS, iOS, Windows, and Android, garnered some negative attention over the last week. A combination of the company's move towards subscription and sync and away from standard licensing and local vaults, its lack of communication, and some needlessly reactionary and sensationalized headlines in the media, led to a lot of bad information being spread.
Some of that has now been corrected by co-founder Dave Teare on the AgileBits blog:
For those who purchased 1Password 6 for Mac already, you're perfectly fine the way you are and can continue rocking 1Password the way you have been. There's no requirement to change anything as we will not be removing features or forcing you to subscribe. In fact we're still selling licenses of 1Password 6 for Mac for those that really need them (you can find them today on the setup screen under More Options).
And you need not worry about 1Password 7 for Mac, either, as it will continue to support standalone vaults just like version 6 does today.
We know that not everyone is ready to make the jump yet, and as such, we will continue to support customers who are managing their own standalone vaults. 1Password 6 and even 1Password 7 will continue to support standalone vaults. But 1Password memberships are indeed awesome and are the best way to use 1Password, and as such, I am going to continue to nudge you over when ever I can 🙂.
To put it bluntly, AgileBits is moving to a more sustainable business model that will allow them to better develop and support 1Password now and into the future. It's ultimately better for customers too, but people hate change and often have a hard time seeing beyond the here-and-now — even for something as important as security software. Especially in the age of pop apps, where everything is expected to be free all the time.
But it's the very age of pop apps, where everything is also mainstream, that the move to subscription and sync makes the most sense. It's why iPhones and iPad moved to iCloud backup rather than being grafted onto Time Machine. Computing has gone mainstream and mainstream computing requires solutions that are easier and friendlier.
I tried to set my family up with the old, licensed 1Password and they never stuck with or updated it. Now I'm subscribing to a family plan and I — combined with the team at AgileBits — will just handle it for them.
We're already using 1Password Teams for work, even though I work with really nerdy people, because easier and friendlier is appreciated by nerdy people too, especially when you have to scale.
I do think 1Password waited too long to over-explain what they were doing and, absent news, the worst kind of speculation runs rampant.
But, change aversion aside, I think most people will find the new 1Password model as good for them as it is for AgileBits, and they'll appreciate the security not just of their passwords being kept safe but the software itself being sustainable for years to come.
So, if you're already a 1Password user, avoid all the FUD and take your own hard look at the new direction. That's what I did, and why I'm switching to it sooner rather than later.
(I also subscribe to Creative Cloud — for some apps, it really is the better way.)
Note: You can still use local password vaults if you want to.
Reader comments
Don't believe the 1Password FUD — here's what's really happening
I moved to Enpass a long time ago - Enpass stores your passwords locally and can sync with your choice of cloud service should you wish to. It works like 1Password and looks very similar with browser plugins etc.. The desktop app is free and the mobile app costs $9.99 for a lifetime license. I'm just a happy end user.
I got 1Password when I bought my MacBook in Jan 2009. I upgraded to a family licence on all platforms. I haven't upgraded since version 4. Last week I made the jump to the subscription so that I could stop using DropBox to sync and so that I could share more easily with my wife. I love the easy QR code setup and the safety of the printed doc to recover your account. Keep it locked in a safe place and your family can access your passwords if anything happens to you.
I moved to 1P some time ago and absolutely love its security model,ease of use,browser intergration with Safari,and overall pricing structure.
Security software,executed briliantly,that just makes my daily interfacing with digital and computers, that much more fun;with flow and finesse.
As long as I have local vaults and don't need to move to the cloud, fine. A new version comes out, I pay, so not a problem. Forcing me to move to the cloud means that I go to another product. I pay for software I need or want and generally avoid free as that has a cost that will 'byte' you somehow.
”To put it bluntly, AgileBits is moving to a more sustainable business model that will allow them to better develop and support 1Password now and into the future. It's ultimately better for customers too, but people hate change and often have a hard time seeing beyond the hear-and-now — even for something as important as security software.”
This is a common theme: blaming the resistance to the subscription model on loud, angry customers who just hate change. Rene Ritchie does it and Jason Snell did the same thing (I had to remove the link because my comment was marked as spam):
”Still, AgileBits knows that a (loud, angry) portion of its customer base hates software subscriptions.”
But the concerns are much more well grounded than that.
One of the fears of the subscription model is that it will remove the motivation that drives developers to keep bringing new and improved features to their product. It's very easy to become lazy when the money is rolling in anyway. Rene Ritchie says it's ”ultimately better for customers too” but is that really true in reality?
The recent discussion about Lightroom and Adobe (I had to remove the link because my comment was marked as spam) shows what might happen when a company switched to subscription model in reality:
”Also, the feature set in Lightroom has slowed to a crawl ever since Adobe locked us into a subscription. They swore up and down that the subscription model would allow them to make better improvements to products and consistently develop them over time. That is simply not factual. The list of significant features added to Lightroom in the last two entire years is barely one sentence long.”
I can hear AB now... we won't do that!
As if.
I don't use Lightroom but I've been fine with Photoshop since Creative Cloud.
I think updates trickle in and so you don't notice them as much as you did with the big releases?
Updates can only slow when there's no competition and there seems to be good competition in the password manager space.
A subscription model is fine so long as you choose to use a service which requires server-side processing, such as a company's cloud computing system or whatever. The problem with Photoshop is that the product itself does not require any kind of server-side processing, which is evident with the fact that you have never needed an internet connection to use Photoshop. This is still the case, so all it boils down to is that it's a money grab, and it's a very bad practice.
I no longer use Photoshop because of this and use Affinity Photo + other products instead, and I've moved from 1Password as well
I agree with @tavisio a vulnerability researcher at Google....."It's not as simple a topic as everyone wants it to be...and I'm sick of the toxic discussions"
Zealots come from everywhere and personally attack anyone who voices a security concern.
Insulting articles like this are typical of that approach - if you, Mr Customer, don't want to put all your usernames passwords credit cards etc up on the internet on a developers outsourced server farm then you Mr Customer, are objecting only because your too cheap to pay for software and you "hate change and often have a hard time seeing beyond the hear-and-now"
Take a look at the 1Password forum and the toxic condescending responses customers get when they ask about standalone licences.
This is NOT the company it once was.
Existing customers were invested in this product, supported it for many years paying for multiple licenses and upgrades, recommending it to friends and co-workers. They are a bit upset to have that product pivot as it has.
There is only one reason AB would not offer BOTH standalone and hosted - "AgileBits is moving to a more sustainable business model"…. it ain't got nothing to do with customers.
For me, I no longer use or recommend the software and wouldn't at any price - even if it was free.
You can still use local vaults.
"AgileBits is moving to a more sustainable business model"
And if you don't like it you
"hate change and often have a hard time seeing beyond the hear-and-now"
Existing software still works, but that ain't the point mate, and I rather think you know that.
No, that is the point, mate :)
It's hilarious how the majority comments below the linked article in AgileBits blog come from their own staff. Almost like a day in the life of Gwyneth Paltrow's Goop PR department.
I believe the iOS app was free, but had some stuff locked up because my wife just installed it on hers and didn't pay for it. I think it Agilebits is moving away from standalone vaults, that will take away its appeal. I went with them because of local wifi sync. Felt it was safer than trusting the cloud. It just seems like time will tell.
As iCloud Keychain gets better, I think 1Password is boxing themselves out here. The main reason why I like 1Password is local vaults. Well also iCloud Keychain seems to miss every 4th password entry, but in the latest codes, iCloud Keychain is getting much better. I know all about the difficulty of maintaining a profitable development team, but you never should go back on the one thing that makes you so excellent. 1Password = Local Security. I'd rather they increase the price for the updates or offer both subscription and perpetual license options.
It's the lack of master password or Touch ID auth that bothers me about iCloud Keychain. I want it to require re-auth when accessing passwords and credit cards.
I don't want my password info stored in the cloud, no matter what Agile Bits says. This is just a way to increase cash flow - which I understand. I would rather pay $20, $40, $60 a year to keep the same setup I have currently with local storage. If they need more money, charge more for the program and for updates. I have no problem with that as I find the program extremely valuable. as it is currently set up
Apple should make a password/information storage app of their own. I'm really surprised they haven't done this already. (the passwords stored thru Safari is not good enough)
They do....its called Keychain Access. You can store just about anything in there.
Thanks, I see that now on Mac with the Keychain app and I can add notes etc. But you can't access the notes on the iPhone. Apple should make keychain app for iOS and improve the app on all devices.
I won't use Keychain until Apple allows for master passwords. The idea of loaning someone my phone, tablet, or laptop and them having immediate access to my passwords and credit cards is appalling.
The article seems to fully embraced the companies line - anyone not doing so is is simply upset because "everything is expected to be free all the time" - this is rubbish - its not a free app anyway
Saying that people who don't want to host their usernames, passwords, credit card details and more on a developers web site are simply people who "hate change and often have a hard time seeing beyond the hear-and-now" - is amazingly condescending at best.
I would have expected a better balanced assessment of the situation from iMore... but then, apparently, I am one of stupid those people full of FUD.
By the way....it might be worthwhile take a look at the Agilebits terms and conditions (Google it)- they seem pretty much at odds with the supposed absolute safety of the hosted model: "....The Service is provided on an “AS IS” and “AS AVAILABLE” basis. The Service is provided without warranties of any kind...." blah blah blah.
I have purchased many copies for personal and my company use over the more than 10 years but no longer.
You can still use local vaults. I'll add that in bold to the article since it seems to be one of the primary concerns.
It's only in the last few days, after the Blog post you quoted in the article, that AB has tried to change its message. It's been months and months of toxic, condescending responses on the AB forum to concerned (pre-existing) customers like me. Suggest you take a look at the forum.
Agile bits have repeatedly, in many many responses told customers "we're no longer marketing the standalone license offering"... "we are no longer recommending it for new customers"
But: local vaults no longer supported in the current Windows version, there are currently no plans to bring that feature back. Travel mode is only in the hosted subscription version.
Look, each to their own, if folk are happy to put their user names passwords, credit card detail, identity information on a developers outsourced server good luck to them. But that doesn't mean people who are reluctant / refuse are stupid.... and ABs decision to treat them, and me, as such doesn't work for me.
“To put it bluntly,” this really is an insulting article.
To state that I’m having a “hard time seeing beyond the hear-and-now” is insulting. It is my responsibility to be concerned when changes are made to a cornerstone in my internet security system. I have yet to see an explanation of how I’m more secure by moving my passwords from local control to a central server, along with every other users passwords. The reason 1Password always beat LastPass is local control of password vaults.
To imply that I expect everything “to be free all the time” is insulting. I’ve purchased 1Password multiple times; multiple single licenses, several family packs, licenses for relatives, and then again when 1Password became available on the App Store. I pay for software, especially “for something as important as security software.”
“Change aversion” is appropriate for security software. Password managers go beyond mission critical they are literally the keys to the castle. If there is FUD it’s not the users fault, it’s AgileBits.
This article provided no new information to me and it has done nothing to convince me that my concerns, and those of others, are unwarranted.
It looks like AgileBits is unable to make the 1Password subscription service compelling enough to get people to voluntarily subscribe, so they have removed all obvious means of purchasing standalone 1Password licenses. Sure, you can get them for now via back-channel emails, but that reeks of something that is about as likely to be around in five years as Radio Shack.
Rene quotes the AgileBits blog, which says "And you need not worry about 1Password 7 for Mac, either, as it will continue to support standalone vaults just like version 6 does today."
i. What happens when version 7 no longer works due to a macOS upgrade and 1Password goes to version 8, which has no support for local vaults?
ii. What will the pricing be for the standalone license for 1Password 7? How do we know that AgileBits won't drastically increase standalone license price to push people to subscriptions?
What if your employer or their clients prohibit storing passwords on some other company's computer and the local vault storage option is gone? You want to tell the DoD that 1Password will be great for their SCIFs and that all they have to do is add Internet connections to their secure networks, including those on which they store TS/SCI SAP data?
Also, it's not a monthly subscription fee. It says right on their web page that it is billed annually, in advance, so the 5 bucks/month for a family plan comes out to about 60 bucks all at once. The Terms of Service say that "All amounts paid are non-refundable." That sounds like a yearly subscription to me.
It auto-renews unless you cancel -- and you don't know what the cost will be next year: "AgileBits, Inc., in its sole discretion and at any time, may modify the Subscription fees for the Subscriptions. Any Subscription fee change will become effective at the end of the then-current Billing Cycle."
Do you really want all of your passwords, license keys, etc. to be subject to this clause: "We may terminate or suspend access to our Service immediately, without prior notice or liability, for any reason whatsoever"?
I have a business Internet connection on which I host cloud storage, VPN, web/Wordpress servers, mail servers, SSH, and FTP. I don't need to pay AgileBits 60 bucks per year to store 5MB of data remotely for me, especially when I can put it on Dropbox for free if I choose to store my passwords on some third party cloud storage provider's disk drives.
Because of all of the above, I am actively looking for a replacement for 1Password. I don't intend to be caught with my pants down when (not if) they decide to sunset non-subscription, local versions.
P.S. I've paid for multiple 1Password licenses over a period of more than four years. I don't "expect everything to be free all the time" and I find that allegation from the article to be insulting,
The traditional software business has been shattered. Apps have become pop-culture. That makes it very tough for any app to survive unless it's not a business but a part of corporate marketing or data acquisition.
At the same time, people want more and more apps, and it's not realistic to think most people can pay high prices or subscriptions for all of them.
1Password will do what it has to do to survive as an independent business that wants to continue producing a product. (LastPass was sold, by contrast.)
It's up to every individual to decide if 1Password is valuable enough that it's worth the subscription.
My sincere opinion is that most 1Password customers, especially families, will be better off with the new model, even if the idea offends them at first.
Thank you for your article and thoughtful reply.
I largely agree with your point about 'app acquisition' (hoarding?). That said, 1Password's new approach seems to have combined all of the bad elements of monthly subscriptions with the high cost normally associated with a license purchase. Many families which are cash-strapped might be able to justify a five dollar per month expenditure, but aren't comfortable being hit with it as an annual, paid-in-advance, non-refundable, sixty dollar fee.
If AgileBits wants to maximize the success of this new model, they should do the following:
1. Bill a monthly fee on a monthly basis. Don't advertise a monthly fee in a large font and then disclose in the fine print that customers are actually paying a non-refundable, annual fee that's 12 times as high. That just seems sleazy.
2. Guarantee to cap rates for customers who maintain continuous subscriptions. In other words, if you sign up at five dollars per month, you keep that rate, or pay the prevailing rate if lower, for so long as you maintain a continuous subscription.
3. Guarantee to provide then-current subscribers with licenses in perpetuity for 1Password (with local storage/sync) should AgileBits shut down their 1Password subscription service. Otherwise, what happens if they decide in, say, three years that they want to sunset 1Password because it's not profitable (enough) and move to some other product or service (e.g. an enterprise crypto-related service/product)?
You wrote: "My sincere opinion is that most 1Password customers, especially families, will be better off with the new model, even if the idea offends them at first."
Only if they sign up for it. If implemented, the three suggestions I made above make it much more likely that they will sign up for it.
P.S. Sorry for the 'long form' dollar amounts, but the spam filter won't permit me to denote monetary amounts in a normal manner.
I think those are all great suggestions. There's a lot any company can do to mitigate the anxiety of transition. I hope the 1Password team is listening to and evaluating exactly this type of feedback.
Cheers!
Wow, a lot of nonsense. Did you people even read the article? They are not forcing anyone to do anything.
First, you can still do what you've always done with them. Even in the next version. Considering their history, if people still want it I bet in version 8 you'll still be able to have the stand-alone verison.
As for subscriptions, I normally am against the concept. But I'm stuck with Photoshop because I have no choice. But when I retire? I'm going to stop paying and buy the competition. There are several good alternatives to Photoshop out there for personal use.
But I finally saw the benefit of 1Password's subscription and went with it after the free six month trial. Any security worries are unfounded. Because you do sync through their servers, but you also have a local version of your data, so the scenario portrayed above is not an accurate portrayal of the danger.
Fact: Of all the password managers out there, 1Password is the only one I've heard of that has never been hacked. The other popular ones have been.
Renee's article is accurate, and the ludicrous criticism here is out of line. You can disagree with him, but his reputation, and long history, deserves some respect and the petty pot shots taken at him here are just more examples of the ugly America we're coming to see more and more thanks to people without ethics and without shame running rampant everywhere we look.
Not only did I read the article, I read everything quoted by the article several days ago.
You wrote: "Any security worries are unfounded. Because you do sync through their servers, but you also have a local version of your data..." That's like saying that your credit card number can't be stolen from them because you have a local copy of it in your wallet.
You wrote: "But I finally saw the benefit of 1Password's subscription..." To you. It has no benefit to me (or to many others). It's simply a security risk, money sink, and potential failure point and target for a DDoS.
You wrote: "Considering their history, if people still want it I bet in version 8 you'll still be able to have the stand-alone verison." What history? They sold a password manager as a standalone product for years, with many of us paying for multiple licenses, and now there's not even a place on their website to purchase it.
You wrote: "the ugly America we're coming to see more and more thanks to people without ethics and without shame running rampant everywhere we look."
People like you, when you personally attack others for daring to disagree with you. If you like the subscription model for 1Password, that's fine. But don't refer to more experienced and knowledgeable people's valid concerns as "ludicrous criticism" and "nonsense."
They have never been hacked. Does' t mean they can't be. But my point was about the local data is addressing the comment about someone hijacking the data on their servers meaning you have lost access to your data. That's not true.
And you are incorrect about not being able to find their standalone version. Many people have. Yes, they could make it easier to find, but it's there. And their forums are full of links. Some people seem to expect to be spoon fed everything I suppose.
As for the "personal attacks" I was criticizing people personally attacking Renee for telling the facts. They might not like them, but it's childish to react like he's some kind of shill because they didn't like what he wrote.
You wrote: "my point was about the local data is addressing the comment about someone hijacking the data on their servers meaning you have lost access to your data."
You called it a 'security worry.' I'd call that an availability worry.
You wrote: "And you are incorrect about not being able to find their standalone version. Many people have. "
No, I am not incorrect. I wrote, correctly, that "now there's not even a place on their website to purchase it." Go to 1password.com. The links across the top are: Tour, Security, Families, Teams, Pricing, and Support. Under which one is there an option to purchase a standalone version?
Their forums are not full of links. They are full of offers to conduct transactions through email. Ben, from AgileBits wrote "We're no longer marketing standalone licenses, and as such have removed the upgrade option from the webstore."
You wrote: "Some people seem to expect to be spoon fed everything I suppose."
And the personal attacks continue. I'm locally hosting the kind of services that you likely have to pay someone else to "spoon feed" to you.
"Fact: Of all the password managers out there, 1Password is the only one I've heard of that has never been hacked. The other popular ones have been."
It's generally a bad idea to present conjecture as fact...which is exactly what you just did. "only one I've heard of"
"You can disagree with him, but his reputation, and long history, deserves some respect and the petty pot shots taken at him here are just more examples of the ugly..."
Renee's reputation as a journalist is exactly what requires people to question him when he post a puff piece like this one. He is being questioned by people who also have long careers. Many of us have long careers in either IT security or one of it's peripheral fields. So, yes, the experts should question the journalist, especially when it's clear the journalist never bothered to question the experts.
Renee's stance is in direct opposition to many security experts with very long careers. But if you want to trust the guy who spends most of his days writing SEO optimized articles about a VERY broad range of articles over the people who spend their days, you know...actually working on security. Go right ahead!
He's being questioned by a bunch of random people on the Internet. You don't have a picture and a username of "subnetwork". I don't know whether he's right or wrong but he's well-known in Apple reporting. You're just a random person from the Internet commenting on the piece. So who should we listen to?
You are right, and that's the problem I have. He, as a well known writer, is putting out a puff piece rather than doing the actual reporting. You suggest that because you trust his reporting on Apple, you should also trust his reporting around security.
Me? I'm only an 18 year IT veteran. I'm a wireless network engineer, which as you might guess has a HUGE requirement for security. I'm easy enough to find online, but I won't spoon feed you puff pasty, I guarantee that!
And your a random person on the internet too...so what?
I think many of the security experts didn't have the full story, which is 1Password's fault, and rushed to make recommendations, which is their fault.
I spent a few days looking at it before writing anything, which doesn't mean I got it right, but means I had time to try a lot of things and ask a lot of questions and, hopefully, provide a well informed, non-reactionary opinion.
I am glad we have people questioning Rene, and I am sure he is also. I too am struggling with his recommendation, and I am grateful that informed people who disagree with him are posting their concerns for me to consider. The point is that civility has disappeared on so much of the web that even well intentioned people let their passion get away from them and frame their arguments in box (perhaps subconsciously to give them benefit of the doubt) that if you disagree with them you lack ethics or morals, or are an *****. This is a great topic to keep at a high level of discourse. Thanks Rene for stimulating discussion on a topic that is important, and thanks for others who disagree taking the time to point out where they think Rene is missing issues.
Never heard of 1password until I read this. Why would I put all of my passwords, credit card numbers, etc. into the hands of a single 3rd party? You might as well store passwords on your OneDrive or iCloud. Stupid.
This is a disaster waiting to happen.
So you probably use the same password for everything and its most likely something simple with just an uppercase letter and a number. Or, you write down your passwords in a book, or even worse, in macOS Notes.
You have no idea how this app works. Why not do a little research before making such a silly comment such as what you just made.
Or, like me, he uses a password manager that stores all passwords locally or on a shared drive under his care, custody, and control. Perhaps he uses an open-source one like KeePass, Padlock, or Passbolt.
Leave commenting on this to those of us with more knowledge about computer security, because you're just making yourself look silly.
How is that different than configuring 1Password to store your vault on a local or shared drive under your care, custody and control?
I think that there's been a miscommunication. That's exactly what I do and what I am suggesting. One can use a password manager, and complex, unique passwords, without entrusting the storage of those passwords to a third party cloud service. The potential loss of this feature in future versions of 1Password is why so many of us are concerned.
Nope, not even close. My important passwords are quite complex and long, no words involved, just random-looking characters/numbers/specials. But they have meaning to me, and are easy to remember FOR ME.
For throw away things - like here, gmail, yahoo mail, etc. - they are less complex, because I have nothing in the accounts to lose.
You have no idea how my passwords work. Why not think a little before making such a silly comment as YOU just made.
Rene's subscription must be free. Otherwise, This is an embarressing article. As others have pointed out, 1Password was never free. I paid good money for licenses. Will not use a suscription based model. Lets see how long my license is supported before being forced to a subscription,.
I've always paid for 1Password and will always keep paying for it. It's what I do with every piece of software I want to stick around.
(Also pay for Google Accounts.)
Rene: With all due respect, this is not an accurate depiction at all and blesses the subscription model which is not necessarily the best nor way to go for all products. Lets start at the beginning.
1) Consumers bought a product license for $x. They like the features and decided it was right for them.
2) Consumers pass on some upgrade purchases as the features offered in new versions do not equate to value to those users.
3) Consumers eventually buy an upgrade or new license if/when the feature set is valuable enough to to them.
However, under the subscription model you are forcing users to pay for updates and features that may have ZERO value to them. This is sadly the case with 1Password. The version I and my family use is more than adequate for our needs and we already pay for a cloud storage plan that is at least, if not more so, secure as AgileBits.
Subscriptions will ONLY work in situations where there are frequent upgrades with features that most users will put value in and that fact is clear. Examples include MS Office, Adobe Apps, etc. And, in those cases, the subscription costs is a very small portion of buying a new license. Again, that is not the case here with 1Password.
Agile Bits has really missed on this one.
What has Agile Bits missed? You still have exactly what you like.
It's not often you see someone recommended to trust a third party with all of a users passwords.
You don't have to. You can still have local vaults. If you find it easier, you can use their cloud vault.
True. I guess my rant was off-base. Thanks for the correction.
Rene,
1password was not a free app. I don't expect it to be free, and did not mind paying for it. Paying a lot of money for it, in fact. I have over $150 in licenses for 1password alone. Suggesting that those of us who choose not to trust Agilebits with our vaults are wanting something free/cheap is insulting and completely glosses over the security and system implications of the move.
Let's start simple. What happens to your vaults, Rene, if Agilebits comes under a DDOS attack? Can you access everything you need to access? For how long?
Let's take it a step further. Let's suppose that Agilebits security is compromised by a three letter agency, and that compromise is later exploited by hackers/extortionist. Sound familiar at all? Sure, the vaults are encrypted, assuming security is up-to-snuff and the code is bug free, there shouldn't be a way for said attacker to open your vault. BUT, they can still double encrypt it. It can still be taken out of your control. You aren't guaranteed access to it. What do you lose if you lose access to your vault? Passcodes, sure. What about license keys? How many hours would it take you to rebuild that?
Can the same thing happen if you are storing your vault somewhere else? Sure. But I have versioning, and backups, and the ability to affect change on how secure my vaults are when I control the vault's location.
There's a saying about not putting all of your eggs into a single basket. Agilebits is asking us to put ALL of the eggs in THEIR single basket. That's not a basket anymore. It's a prime target.
Your oversimplification of this is embarrassing at best.
DDOS would be fine if they do it how LastPass does it and allows offline access. I'd also be shocked if LastPass/OnePassword only had one, easily DDOSed IP. The clients can likely connect to 50 different obscure URL's if one is DDOSed.
If a three letter has access, and the data is encrypted, they're not going to get much efficiently, at the moment. If they have access to code, and see a flaw, sure. All your eggs in one basket is both bad and good. Bad for the reasons you said, but also good since it's 1000x easier to secure 1 entry point rather than 50. Where were you storing them before? DropBox hands things over to 3 letters, and I'd be surprised if Google/Apple made it *that* difficult for them. If you stored it on a USB, you can't get it to an iOS device. Maybe Airdrop?
You could look at KeePass. Free/opensource, and local vaults.
I would never suggest that Agilebits is stupid enough to have a single "easily DDOSed IP". Further, you seem to lack an understanding of how URL's (and by this, I'm assuming you mean DNS records) and IP's work.
DDOSing mulitple IP's can be done easily for days for a few hundred dollars if you know the right place to look. The internet is a lot darker than you can apparently imagine. Scripting a DDOS attack to transistion to new IP's as DNS records are updated is very basic level stuff, so "obscure URL's" doesn't quite work the way you think they do. Furthermore, any user running 1password could easily discover those "obscure URL's" by watching DNS lookups and which connections their computers are making to the internet while the software is running.
Let's just look back at recent history. How many services like AgileBits were affected when a *SINGLE* AWS datacenter lost part of it's storage infrastructure? That was due to human error, not even an attack. It was compounded by thousands of companies not paying for any level of redundancy. How many customers did that affect? Customers who were paying monthly and trusted their application to always be available by a third party, who was paying monthly and trusting their application would always be available by a third party. (No, I didn't accidentally repeat myself)
"DropBox hands things over to 3 letters, and I'd be surprised if Google/Apple made it *that* difficult for them." I'm not worried about my data being handed over to a 3 letter. This isn't about anyone handing over data. This is about backdoor access for the 3 letters, unbeknownst to the developer. This is about what happens once that access is discovered by others. Maybe you should read up on Shadow Brokers, just as a basic starting point.
"...good since it's 1000x easier to secure 1 entry point rather than 50." I don't need anyone to secure my storage. I secure my storage.
MORE importantly, "cloud storage" is just someone else's server. That server doesn't have a single entry point. That's not how servers work. That server has many entry points, and new entry points via vulnerabilities are being found all of the time.
I was simplifying the IP/URL thing for people. I doubt 1Password embeds IP's in the code on the chance they move servers, hence they could use URL's and have it fail if the cert doesn't match (that would help in the case of DNS spoofing). I like how you assume what I know or how dark I think the web is. What gain is there in someone DDOSing 1Password? Nothing, apart from anarchy (unless you say LastPass would do that). I'm not saying it won't happen, or is not feasible, just they could have backup IPs/URLs in the code that don't get used unless the others are DDOSed, and therefore they can get around DDOSes as no one would know of them from watching DNS queries until there is a DDOS. They could update the DDOS, yes, but AFAIK most of the cheaper DDOSes would be from the same IP ranges which could be blocked easier.
The AWS issue was a human error *inside the network* with admin rights afaik. That's like saying "Look! Trump shattered a glass in the Oval Office, could you imagine if someone broke in and did that?!?!?" AWS has protections to stop attacks from coming in, which are usually a lot better than the protections against people on the inside. Yes, AWS messed up, but for 99.99999999999% of the time, AWS is less likely to make a mistake, security or otherwise, than the average user.
If you're worried about backdoors, why use closed source anything anyways? I assume you're using Trisquel/Gentoo+LibreBoot on a machine with a LibreBoot PFSense firewall/router right?
Glad you secure your storage. Most people won't, hence they let a cloud (yes it is someone else's computer) do that for them. It's like flying, it's 99.9999999999999999999999999999999% (whatever %) safer than people flying the planes themselves, but there are issues.
I know about all of these risks, but most of the shadow brokers stuff, and the equation group afaik, wasn't them implanting things, it was finding things and not releasing. BlueSmurf and whatever that SMBv1 flaw was were things the 3 letters held on to. Not only US 3 letters though mind you.
Again, if you're concerned about a 3 letter agency putting a backdoor in to the software, why do you care about closed source 1Password? You should be using dice, and a text file, on a veracrypt drive.
And you STILL have versioning, backups and the ability to affect change on how secure your vaults are when you control your vault's location. None of that has changed.
You can still have local vaults under the sub license.