
1Password X: A look at the future of 1Password in the browser - clapsclaps
https://blog.agilebits.com/2017/11/13/1password-x-a-look-at-the-future-of-1password-in-the-browser/
======
actionscripted
Am I the only one in here who loves their hosted solutions? We use Teams at
work and I use Family for my wife and I.

It's important to me that I have access to certain passwords on my desktop,
laptop and phone. These items also need to be accessible to others who should
be able to view/edit. There's no way to do with without some sort of cloud
solution and so the decision becomes which cloud solution. I used to use
Dropbox, but now have no need with Team/Family.

With teams, when a staff member leaves, we can easily remove them from the
admin panel, update all passwords in all vaults they had access to and have
those changes immediately available to everyone.

A lot of responses here sound incredibly paranoid and almost naive. If you're
not syncing passwords between devices/users and you're not putting your
information into the cloud then I would argue at some point you may be
performing insecure actions to accommodate secrets use/management.

For example, how are you logging in on your phone to a service that requires a
user name and password when the password lives only in a standalone system on
your desktop? If you're not manually entering the password, you're likely
doing something security-wise that isn't ideal.

~~~
epistasis
What part is actually hosted here? Do they store opaque encrypted blobs and
pass those around, or can they see the actual secrets too?

~~~
AGKyle
Disclosure: I work for AgileBits, makers of 1Password

We outline the entirety of how this works in our white paper:

[https://1pw.ca/whitepaper](https://1pw.ca/whitepaper)

We cannot tell what your data is. It's encrypted on your device using keys
that only you know. Then we store it on our side on the server.

The unique solution of using your Master Password and your Secret Key, makes
brute forcing the data on our server an incredibly expensive job for anyone
attempting to do so. It makes our servers an absolutely terrible target.

I definitely recommend reading the white paper, it's quite easy to read, even
if you aren't super interested in cryptography. If you have questions though
just let me know. I'll make sure you get answers.

Kyle

AgileBits

~~~
t0mbstone
All it would take for 1Password to decrypt our entire vault is for 1Password
to push out a software update that simply made it so that the client app
uploaded the keys to 1Password's servers after the user typed it in. Without
1Password releasing their source code, end users would have no idea if such an
update ever took place. We just have to trust 1Password as a company. Well, if
we already trust 1Password as a company, what's the point of even using
encryption? Might as well just store it in plain text in a database on your
servers and trust that your employees won't look at them!

Without open source auditing of all clients and md5 checksums of compiled
binaries, security is nothing more than an illusion.

~~~
AGKyle
If that's your concern then I'm afraid there's little we can do to change your
opinion and perhaps 1Password isn't the solution for you.

I don't mean to sound rude or anything like that. Just being honest.

We have had grand visions of offering portions of our source (notably the
cryptographic portions) available for review, note, not open source in the
sense you can use it but in a license that makes it available for review
purposes.

If 1Password.com was the sole solution we offered then open sourcing the
entire app would be potentially feasible because our income wouldn't rely on
people compiling their own version and editing out the license code. But it
makes little sense for us to make that available if modified copies can be
made available removing a chunk of our income.

For what it's worth, we have over 90 people who depend on AgileBits to provide
paychecks so people can support their families. That's a heavy burden when
your decisions can impact that many lives. I'm just a member of our team, not
a founder or owner or anything but hopefully you can recognize this side of
things.

We'd like nothing more than to do whatever we can to get users to trust us but
there are limits to what we can do and still keep 1Password alive.

If you absolutely have to see the code in order to trust an application then
there are other options out there, but they won't provide the same level of
support, features, or hands off management. These are trade offs you have to
make as an individual. Only you can make those decisions for you.

Every person at AgileBits uses 1Password, and we design it knowing we will be
using it and we are all passionate about wanting our data secure. If we did
something to put your data at risk, we did the same thing to ourselves. Just
another view of that I suppose.

Kyle

AgileBits

~~~
t0mbstone
I'm simply pointing out the elephant in the room. If there is no ability to
audit the source code of the password manager, and the source code is managed
by a third party company, then for all intents and purposes, the third party
company has theoretical access to everything (regardless of what encryption is
used). It boils down to trust, and that trust can be violated by a single
rogue employee at AgileBits. It could also be potentially violated by a
government agency gaining control of AgileBits.

~~~
epistasis
First, I'd like to point out that this concern is completely orthogonal to a
hosted service, and has no connection to it.

Second, with the inability to check that a given binary came from a given
source tree, open source does not help us audit what gets executed. If we're
supposing that Agilebits' build process has been compromised, then we're in
the same realm as considering a compromised build process for .deb or .rpm.

~~~
jpgoldberg
[Disclosure: I work for AgileBits, the makers of 1Password]

Thanks. I (as you'd expect) agree with both points.

The second one is particularly challenging. Deterministic builds are possible
for some categories of software, but it will be a long time in coming. And for
software that is updated frequently, it is even harder for people to
practically check that what they are running is the reviewed code. But the
technology is improving for this to be more practical. On the other hand, app
stores move things further away from having the ability to distribute
determinist builds.

This is not an excuse to not seek openness, but it does point out that there
are lots of things to do that most people don't to get the benefits of that
kind of inspection.

------
newman314
Ugh. Agilebits left out until the very end that this is only for their hosted
solution.

No surprise but looks like standalone users are left out in the cold. Again.

Much as I like and use 1Password every day, I really really do not like the
fact that they moved to a hosted model.

~~~
pwenzel
Standalone user here since 1Password 2.0, using it both on iOS and OSX. I feel
that it receives pretty frequent updates, and doesn't suffer from feature
bloat. It even synchronizes great with Dropbox. What are people's gripes with
AgileBits' support of the standalone version?

~~~
iamthirsty
People see progress happening on something they don’t use (because standalone
is basically feature-complete) and just want to gripe. I’ve been a stand-alone
user for literally as long as I can remember and have never had a single issue
with 1P.

~~~
npunt
Same. I have a tough time empathizing with people who expect free upgrades
forever (especially if purchased many years prior) if they don’t articulate
how those upgrades should be funded.

I think it comes from a desktop software mentality, where things remained
rather static relative to mobile’s rapid changes.

~~~
trurl
I don't expect free upgrades forever, but I am extremely disappointed that I
will have migrate all my data to another product if they cease providing an
offline version.

~~~
AGKyle
Disclosure: I work for AgileBits makers of 1Password

We've already announced that 1Password 7 for Mac and 1Password 7 for Windows
will continue to offer standalone licensing.

Just a heads up that we're not removing the option for users like yourself
that want to continue to use standalone vaults and the licensing to go with
it.

That said, if you haven't, I would recommend and least trying our
1Password.com service. It was built and designed from the ground up to work
for 1Password. It's an incredibly great experience. If you try it and aren't
interested after the trial I'd love to hear your feedback on why. No credit
card is necessary to try it.

Kyle

AgileBits

~~~
iamthirsty
I've tried it, but it isn't for me (privacy-paranoid). That said, I really
appreciated the post where you said standalone vaults would remain — made me
feel like you guys cared. That's the whole thing. I literally don't need any
more features besides security upgrades, and as long as I know you're still
looking out for us too I'm perfectly happy.

------
nkw
> 1Password X was designed for our hosted 1Password service and connects
> directly to your account.

Agilebits/1Passwords continued shoving of their 'hosted' services down their
customer's throats amazes me. I'm not even particularly against
SaaS/cloud/hosted/subscription/whatever, except a password manager is exactly
the type of product that I do not want in that type of environment. Is it
really impossible to have a successful software business without this BS? I
guess I am in the minority but I would much rather you charge me more for the
software or charge me for the upgrades, than push me into your hosted cloud-
subscription stuff.

Agilebits/1Password was by far the best product out there, with astonishing
goodwill amongst their customer base, which they have managed to lose, not to
competitors or outside forces, but rather by incinerating it themselves.

~~~
askafriend
They haven't lost any good will that matters in the long run. I find 1Password
valuable enough to pay them a monthly fee and so do many many others.

They changed their business model to be more sustainable/profitable and they
know that means that they'll lose a segment of customers but that's OK.

The products that won't do well with a business model like this are products
that don't provide enough value. There is nothing wrong with the pricing model
itself or a company choosing to adopt it.

~~~
mcgrath_sh
For me, it is both about the business model and the move to a hosted service.
I’m against renting tools. I will gladly buy them, and I will buy frequent-ish
updates (18-24 months). I'm not cheap. I simply value ownership of both the
software and my data. I have bought five 1Password licenses for myself and my
immediate family; a roughly ~$300-$320 investment. Toss on another $50 for iOS
licenses and you have roughly six years of subscription revenue. So, if six
years of subs is goodwill that doesn’t matter, that is fine.

~~~
AGKyle
Disclosure: I work for AgileBits, makers of 1Password

To be clear, we aren't "moving to a hosted service."

We still offer the Pro features for iOS for $10 for users who want to purchase
that instead of a subscription.

We still offer 1Password 6 licenses for Mac, they're available via the Mac App
Store, our website, and in app after the trial period ends. We have also
announced we'll be offering 1Password 7 licenses when we release that in the
future.

We have also announced we'll be offering standalone vaults and traditional
licenses for 1Password 7 for Windows.

So nothing is "moving to a hosted service." It's simply another option and
it's also the option we feel is best for a vast majority of our users, that
may not be you that falls in that category, but you're also reading hacker
news, you're not in the same category as a majority of our users either.

Hope that helps a little at least.

Kyle

AgileBits

------
rcarmo
"1Password X was designed for our hosted 1Password service and connects
directly to your account."

Nope, sorry. No. Never. I'd rather change password managers than rely on a
small, niche company to keep the data secure and in sync -- larger players
have a much bigger advantage here.

I can see a future coming when I'll only use 1Password on my phone, and have
things stored on a secure enclave. It will be slightly more of a pain to use
it on a desktop, but most browsers and operating systems are building their
own simplified (and arguably more secure) password vaults...

~~~
lucisferre
Larger players being? I can only think of Lastpass when it comes to similar
feature sets.

~~~
egeozcan
Chrome saves and syncs passwords for you out of the box. Combined with an
offline KeePass database, it works great.

~~~
stephengillie
KeePass works great with Dropbox. These with Chrome are a pretty comprehensive
solution across mobile and desktop, with layers of MFA, if the key file is
stored separately.

------
ejcx
Former LastPass employee here. Looks to me like 1Password is going full
LastPass. First fully hosted passwords. Now support for extension only (which
is way worse security wise).

SaaS margins and recurring revenue is better, and I guess their previous model
was killing 1Password.

~~~
AGKyle
Disclosure: I work for AgileBits, makers of 1Password

Hello fellow (or former) password manager person! Fancy seeing you here.

The previous model wasn't killing us, in fact it isn't even "previous" because
we still offer standalone licenses for those that want them and will continue
to do so.

For those who aren't aware of our upgrade cycle in the past:

For Mac, we last charged for 1Password 4 back in 2013. Version 5 and 6 were
free upgrades over the last 4 years. Version 3 users got free updates for 6
years before we released 1Password 4 as a paid upgrade.

For iOS, version 1 was paid, version 2 and 3 were free upgrades. Version 4 was
a paid upgrade by way of a new app. It went free with premium in-app purchase
in version 5 and all users who purchased version 4 got the premium service
free in 5, 6 and 7.

If we really were struggling making revenue work for our standalone licenses
we could've charged for upgrades every year like any other product does.

1Password.com is not about the revenue, it's about making a product that we
can do more with. We have exciting ideas and features we want to create and
introduce to our users but we couldn't do that without our 1Password.com
solution. This is simply one of those options, our command line client is
another one, and we'll be showing off even more great new features like these
in the future.

On the security side, I encourage any security researchers out there to try to
prove our applications insecure by demonstrating it via our bug bounty
program:

[https://bugcrowd.com/agilebits](https://bugcrowd.com/agilebits)

Happy hunting.

I hope that gives some insight at least.

Kyle

AgileBits

~~~
ejcx
I'm a bugcrowd customer too, but offering a prize to say you are secure is a
fallacy. It's also not how bugbounties work... Example: \-
[https://moxie.org/blog/telegram-crypto-
challenge/](https://moxie.org/blog/telegram-crypto-challenge/)

The fact remains the same that the things you championed against LastPass
doing are now the features and products you are providing.

You guys have already been caught erasing and hiding the previous versions on
your site to convert people to 1Password.com.

I don't really care about any of this since but you guys are just not being
sincere about the things you're doing. It's kind of sad.

~~~
roustem
> You guys have already been caught erasing and hiding the previous versions
> on your site to convert people to 1Password.com.

Wow, that is BS.

You can download any previous version of 1Password, starting with version
0.8.0 (May 2006):

[https://app-updates.agilebits.com/](https://app-updates.agilebits.com/)

~~~
ejcx
No it is not at all. This is what the whole debacle was a few months ago when
you removed most of the download links from your website.

[https://twitter.com/cryptovillage/status/884205077459738624](https://twitter.com/cryptovillage/status/884205077459738624)

~~~
khad
Every version of 1Password available on
[https://1password.com/downloads/](https://1password.com/downloads/) works
with standalone vaults. The only exception is 1Password 6 for Windows, but
there is a link to download 1Password 4 for Windows. The link for that even
says "Get 1Password 4 (standalone version)".

------
SirensOfTitan
I have used 1Password for half a decade, but I'm pretty disgusted by agilebits
behavior as they continue to shove non-cloud users aside. The amount of
customer goodwill they've burned is astounding. I think it's time to start
looking elsewhere for a password manager solution.

~~~
AGKyle
Disclosure: I work for AgileBits, makers of 1Password

I'm sorry you feel that way.

What makes you think we're pushing you aside?

We are still introducing features in 1Password 6 for Mac, and 1Password 7 for
iOS that work for both our hosted solution and our standalone users.

We are able to offer a lot of newer features to our 1Password.com membership
users because that solution opens a lot of new possibilities. But we certainly
haven't forgotten about users like yourself.

1Password 6.9 for iOS introduced Drag and Drop for iPad users

1Password 7 for iOS introduced Face ID, a new favorites screen, Quick Copy,
and a host of other smaller features and improvements

We're not stopping there either and have even more great new features lined up
that will work for both our standalone users and our 1Password.com users.

1Password 7 was also a free upgrade for any iOS user, including those that had
Premium features purchased.

I'd love to hear how you think we're pushing you aside though because it'll
help me understand how we can try to improve our language in various release
notes and announcements to make it clear we aren't leaving you behind.

Thanks!

Kyle

AgileBits

~~~
threatofrain
I'm just wondering, does your period subscription license also include your
"stand-alone" software?

~~~
AGKyle
It does.

So if you purchase a subscription, you'll sign into an account for 1Password
in the app. The presence of an active account (one that's in paid status, or
trial) will unlock the standalone licensed portion of the application. So you
can freely use those features to your hearts content.

At least, that's how it works for Mac and iOS. I contribute to those teams
specifically on the development side so I'm most familiar there, I'm not sure
I know enough about Android to comment there and be accurate. If you need to
know about Android I can find out though. Regarding Windows, not currently
because version 6 is 1Password.com only, however, version 7 will add
standalone vaults and a traditional license model, I anticipate it will copy
our Mac application but until it ships I can't guarantee anything.

Kyle

AgileBits

------
diggan
Was excited to read "Linux users and Chrome OS users could join in on the
fun?" but then ". It works everywhere Chrome works" so still no love for
Firefox users... Too bad the CLI is possibly the worse CLI ever made,
otherwise Firefox support wouldn't have been so important.

~~~
AGKyle
Disclosure: I work for AgileBits, makers of 1Password

I suspect that browser support for 1Password X will continue to expand over
time, but focusing on one browser first helped us make it available sooner
rather than later.

Out of curiosity, what exactly do you not like about our CLI? It offers a ton
of flexibility, perhaps that's part of the problem. If you have concrete
issues though I'd love to make sure we get that recorded for our team.

Kyle

AgileBits

------
syllogism
In-browser password managers are completely insecure by design.

Any site can write whatever they want within the page, so it's easy to fake
the prompt and steal the password. The only way to prevent this is if the
password manager runs as a standalone application, so that the password is
entered outside the browser. 1password has this, and the workflow is fine ---
switching to the insecure one makes no sense.

~~~
psychometry
How are sites going to trick the extension into believing the site is on a
different domain?

~~~
pfg
The problematic bit is that the browser itself would prompt you for your
master password. Getting users into the habit of entering their master
password in a browser window means that it's relatively easy for sites to
create a fake prompt that's likely to fool a lot of people.

1Password does a couple of things to mitigate this. First, the master password
alone would not be sufficient to get access to your passwords. An attacker
would also need access to your vault files (for local vaults) or your secret
key (for 1Password Accounts, their SaaS offering). Second, the password prompt
isn't rendered within the "danger zone" \- the part of your browser window
where the page you're visiting is rendered. Instead, it's a dialog on top of
the extension toolbar where it's distinguishable from the site (at least with
the Chrome extension for the standalone version on macOS, I haven't checked to
see if this changed).

Neither of these mitigations are perfect. Leaking your master password is
obviously bad either way, and while I have some faith in my ability to detect
a fake password prompt that's rendered in the wrong position, that's a bit
like an anti-phishing strategy that boils down to "always check the domain",
which we know doesn't work. Ultimately, not using an extension reduces your
attack surface significantly, but incidentally that comes at the cost of some
phishing-resistance that you gain from only ever entering your password
through an extension matching the domain.

------
DavideNL
The cloud storage they are pushing everyone to annoys me. I feel like it's
just a matter of time before i will switch to something else.

Also, does the average person really need a $3/month subscription even though
they could just store the few KB/MB of data in their iCloud/Dropbox/whatever
for free? No they don't, but they probably won't realise that anyway. To me it
feels like they are trying to fool people.

A 5 year subscription would cost you $3 * 12 * 5= $180 Who would ever buy
1Password software & upgrades for $180 in 5 years?

Even though $3 a month _feels_ like a small amount, it isn't.

------
doomrobo
Does this mean that all crypto in 1Password X is now implemented in
Javascript?

~~~
fcarraldo
I'm worried about this too. The entire reason I migrated to 1Password over
Lastpass is that I don't trust Lastpass' extension. There are too many edge
cases, too much fuzziness around "offline usage", and too much reliance on the
browser. 1Password's extension acting as an anchor for 1Password Mini, which
runs as a separate application on my desktop outside of the browser ecosystem,
is a major draw.

I don't see how this is better in any way. What's the point?

~~~
roustem
1Password X is a pure Chrome extension and does not rely on the native app.
This has its benefits and obvious drawbacks.

Some of the benefits:

* Simpler installation

* Support for multiple users on the same computer with Chrome user profiles

* Support for Chrome OS

~~~
fcarraldo
Is this an option for Chrome/Linux/ChromeOS users to provide a more
streamlined first-use experience? The "a look at the future" and "this is just
the beginning" wording in the announcement blog post implies that this is the
direction that 1Password is taking as a product, and Chrome support is just
the beginning.

As a user who prefers a native implementation, uses local vaults, and uses
Firefox, none of these advantages matter much. If it's not "for me", that's
totally cool. If this new experience will replace the existing one, 1Password
is no longer the solution for me.

~~~
AGKyle
I think the easiest way to look at this is as you said, another option for
users.

Some enterprises don't allow their users to install applications, but do allow
extensions, so this opens up that possibility.

It also brought 1Password support to two new platforms: Linux and Chrome OS.

As for this being the future. Imagine a world where from a design perspective
this sets the tone. Thus, the beginning of the future.

It's a first version that has to compare itself against versions that have
existed for years. Of course it can't fully replace what we have. It may for
some though, I won't discount that at all.

For starters, there's no way to do Touch ID in the browser. There's no support
for local vaults. There's only Chrome support, nothing for Safari or Firefox.
There's a lot missing here.

But in terms of the future, this sets the visual design up for how you'll
start seeing future updates on the other side of the extension fence.

So, lets go with "this isn't for you" :)

In fact, I doubt in a lot of ways that this is for people on Hacker News. A
smaller number will probably find it useful though.

Kyle

AgileBits

~~~
fcarraldo
Thanks for the response. I appreciate the clarification on this being the
beginning of the visual design for the future. As long as _solely_ browser
extensions are not the future of 1Password, then it will continue to be my
password manager of choice.

------
woolvalley
There is a segment of your users that still want the original 'on-prem'
version that you started out with.

These nerds have money and understand you want a sustainable business model.
Just charge these people an annual software maintenance fee and stop
neglecting the standalone version. Yes it wont satisfy everyone, but it will
stop all the negative PR that comes out whenever you do something that is
artificially cloud only.

~~~
AGKyle
Disclosure: I work for AgileBits, makers of 1Password

How are we neglecting our standalone users? I'm really curious here because we
are still introducing features in our existing applications that work for our
standalone users.

Certain new applications like 1Password X and our CLI are only really easily
possible because of 1Password.com, but just because these are being offered
doesn't mean we're neglecting our standalone users.

Just recently in 1Password 7 for iOS, we added Face ID support, a new
favorites screen, and Quick Copy, among others. In 1Password 6.9 we added Drag
and Drop support. None of these features are unique to 1Password.com, they
work for everyone and they were free for existing users as well.

Really curious how we're neglecting you though. I'd love to understand this so
I can make sure we address it better.

Kyle

AgileBits

~~~
woolvalley
You don't discard them completely, but new things that can be made by reading
local files vs using a cloud API are just made using a cloud API. Updates to
current apps I'm guessing will still support local file users if it's easy.

Your website has no obvious way on how to buy the standalone version now. It's
pretty obvious through behavior that it's a deprecated mode without stating it
outright.

Most people can deduce it's an official PR position to deny the behavior that
is being shown, like your doing right now.

But please, just be honest and say it's deprecated. Or start supporting the
on-prem users again & ask for a software maintenance fee. None of this on the
fence stuff. One guy that I have seen that has done it out right is this one:
[http://www.keyboard-and-mouse-
sharing.com/maintenance.htm](http://www.keyboard-and-mouse-
sharing.com/maintenance.htm)

Once deprecation enforcement starts becoming too much, those users are going
to go away. A chunk of these customers don't want to do that although, because
just paying the $24/year is cheaper than the time and hassle it would take to
switch to something else. You could even combine it with the cloud version and
just let people choose. But they are not going to chose that if they know on-
prem is still deprecated.

You guys used to make features that would explicitly avoid server side
decryption, like watchtower. We want that back.

~~~
roustem
> Your website has no obvious way on how to buy the standalone version now.

It is not easy. In the beginning we had a website that offered both standalone
version and a subscription on the same page. It is easy for HN people to make
this decision but we had hundreds of customers purchasing both, most of them
having no idea what is the different between license and subscription.

Since the purchase-separate-license-for-each-platform-and-host-data-yourself
requires more expertise, it made sense to make it less visible and make the
subscription option to be default.

> You guys used to make features that would explicitly avoid server side
> decryption.

All encryption is still performed on the client side. In fact, with 1Password
service we went overboard and now encrypting much more data on the client side
than we used to.

We also added a separate Secret Key that makes sure the encryption strength
does not depend on the master password alone (many people still use pretty
weak master passwords).

------
fencepost
I find myself wondering if keepass is going to introduce a new vault type of
small individual files in a directory and move into where 1Password used to be
(including "cloud" using any of many cloud storage options).

edit: Seems to me that even if you set a fixed file size of 1-2k for each
entry it wouldn't be too huge, or perhaps a dual-file per entry system with
one small fixed-size file (128-256 bytes?) for indexed info (URL, name,
username), etc. and a second fixed at multiples (or powers) of 1KB for added
data (actual passwords, password history, notes, etc.) you could mostly avoid
disclosing information even about URL lengths, etc. You could probably
reasonably obscure a lot by doubling the larger file's size as the minimum
increment and for most scenarios the file size would still be pretty trivial
by modern networking/storage standards. Would stink for binary storage or
images, etc. but there are different solutions available for that.

~~~
roustem
That's how we designed the original 1Password data format (.agilekeychain). It
certainly made syncing with Dropbox much simpler.

It does have its drawbacks though. Once you have too many files (and make too
many requests), both Dropbox and iCloud will start throttling you.

It also might take a while to reload the data, even from the local disk. We
had to add a cache file at some point.

~~~
fencepost
I could see either local caching or (assuming the storage backend provides
access to file metadata like date/time stamps that are internally consistent)
I can think of several ways to have any instance of the application
consolidate those small index files into larger ones such that you'd mostly
need to load the consolidated file plus any individual entries modified since
its timestamp. If those consolidated files were appropriately named you could
even have multiple instances creating them at the same time without causing
collisions. Cleanup could be a little trickier, but could likely be done with
very little risk as long as a little bit of storage bloat wasn't a big
concern.

Interesting thought experiment, thanks for mentioning your real-world
experiences with it.

~~~
AGKyle
Yea, our current solution, as Roustem mentioned, sort of recreates the Dropbox
app on Mac. We replicate the entire keychain file on the device, then perform
syncing to keep both up to date.

Our newer OPVault format uses band files, each band file is named after the
first character in each item's UUID, which means we have far fewer files than
AgileKeychain (individual files for each item).

They both have their pitfalls, but initial sync with OPVault is infinitely
faster as number of items increase. We did a ton of testing when we switched
to the new Dropbox API and we had AgileKeychain's with thousands of items in
them. They took awhile to sync. The same number of items in OPVault was nearly
instant, at least with regard to the replication portion. Sync still took a
little while due to the encryption and decryption that had to happen.

Sync with 3rd party sync services have always been quite difficult for us.
Especially from a troubleshooting standpoint. It's hard to replicate certain
issues because the data is incredibly sensitive for users so we can't "get"
the data and instead have to try to duplicate the issue with limited
information.

Every day is certainly a unique challenge :)

Kyle

AgileBits

------
srathi
Ouch! I just switched to Firefox 57 and I can't use this new feature!
Shouldn't the WebExtension be portable across both browsers with minimal work
with Firefox 57?

~~~
diggan
Yeah, it requires minimal work but some companies can't even put minimal work
into their extensions so here we are...

------
scblock
Chrome only makes this effectively useless. Considering that the entire
browser market is moving to a largely unified web extension format this is not
that impressive. "Everywhere Chrome works" is simply repeating the mistakes of
the past, but with Chrome now instead of IE.

~~~
AGKyle
Disclosure: I work for AgileBits, makers of 1Password.

This was posted in a couple different similar threads so I'm pasting it here
as it's a direct answer to your concern.

Making extensions cross browser can still be a bit difficult. Our focus here
was to get something readily available for a browser that was in high demand
on platforms that we were getting a lot of requests for (Linux and Chrome OS).

I believe browser support will expand over time with this extension, it's just
that we didn't want multiple browsers slow our progress or prevent us from
doing cool new things.

Give it some time and I anticipate we'll see browser support expand.

Kyle

AgileBits

------
nathancahill
s/the browser/Chrome

Hey 1Password, make this available for Firefox too. It should be relatively
easy to port with WebExtensions API, since it looks like a toolbar popup.

~~~
diggan
Haven't you heard that the meaning of Browser now just means Chrome. Unless
someone writes cross-browser, they are only targeting Chrome, which as a
Firefox user, really sucks.

~~~
passivepinetree
Hopefully that will start to change with Firefox Quantum, which in my brief
experience has been fantastic.

------
aagd
Definitely not my future. I liked 1Password so far, but my passwords will
never go to the cloud.

------
7ewis
I purchased the standalone Mac 1Password app, but moved back to LastPass.

I _hate_ LastPass, and want to use 1P but LP just seems to work better.
Despite being bloated and ugly.

Admittedly, I haven't tried 1P for around a year now. So as I have a license,
I have been tempted to go back. Is it worth it?

My biggest gripe is in Chrome on iOS. Nothing _ever_ seems to be able to
autofill correctly and the UX is just horrible...

1\. Tap Menu Button

2\. Tap Share Button

3\. Tap LastPass

4\. Authorise Touch ID

5\. Select Password

6\. Autofill fails... Go back to 1. (Then hold to copy the password instead of
fill)

~~~
AGKyle
Disclosure: I work for AgileBits, makers of 1Password

Chrome on iOS is a unique situation.

We offer two things for developers that integrate with 1Password:

1\. Native application integration. The idea here is that apps that offer a
login to their service/site can pull the username and password from 1Password,
then insert it into their native UI controls and sign the user in

2\. Web view integration. The idea here is that the developer pass us the web
view as part of the process and we handle the filling.

Chrome is using option #1, so what they do is give us the URL, we provide the
list of Login items, and then they take the username and password and provide
the filling. For the filling parts we have absolutely no control over this in
Chrome. Any filling related bugs are completely on Chrome to fix. If they used
our web view filling option you'd have consistently the same filling behavior
as 1Password does in Safari on iOS.

Sorry you had this experience though. Unfortunately we can't really do
anything about it except say we understand your pain. We spent a lot of time
and effort getting our filling systems to work as well as they possibly can
and when users report issues in Chrome we have to send them off to Google to
report those and get them fixed.

Kyle

AgileBits

~~~
7ewis
Thanks for the response. I thought the Chrome issue may have be something like
you mentioned.

The fact that you're here and replying is another reason why I want to like
1Password. I'd be shocked if a LastPass employee responded to me.

Will try copying my passwords over tomorrow and see how I get on!

~~~
AGKyle
Absolutely my pleasure.

If you have trouble please reach out via our support page and shoot me an
email. You can ask for me directly if you want and I'll be happy to work with
you to see if we can determine if any issues you encounter are those that we
can fix or not.

Happy to help however I can. But thank you for being willing to listen and
converse. We always love hearing from our users even if it's bad, it gives us
something we can improve on.

Kyle

AgileBits

------
dbbk
Hi, big fan of hosted 1Password here!

I'm just curious, in the blog post you guys mentioned it autofills two-factor
codes. I just tried using the extension on Postmark, and it didn't recognise
the input field for my code. What heuristics are you using to determine the
code input? As a front end developer myself, is there an autocomplete
attribute for instance I could add that would help?

~~~
AGKyle
Is this postmarkapp.com you're having issues with or another URL?

I'd love to make sure I'm testing on the appropriate site and then I can get
you some more information.

Kyle

AgileBits

~~~
dbbk
Hi Kyle,

Yes, postmarkapp.com

~~~
AGKyle
I just setup an account and enabled 2FA for it.

What happens is the extension fills the username and password, then when you
get to the next page, just click the extension icon and choose the item again.
It'll fill the 2FA field.

Or you can use the keyboard shortcut and it'll do the same thing.

Does that work any better? As far as I am aware it won't automatically fill
when the field is on a second page. The filling is one and done, it won't fill
again on the next page without your instruction to do so.

Kyle

AgileBits

------
jaequery
What does this have that Lastpass does not?

~~~
Infernal
Incompatibility with Safari, Firefox, and Edge?

~~~
stimur
our main app and extension work with Chrome, Safari, Firefox, Edge.

Password X in particular is new approach and its first iteration works in
Chrome only. Which doesn't mean it will not work in other browsers as well in
later versions.

~~~
Infernal
Fair enough. And full disclosure, I have been a happy 1Password user for years
- will be a sad day if/when local storage is no longer an option and I have to
find another solution.

------
reiichiroh
Nope. I'm out then having bought desktop licenses from 1.x to 4.x for Windows
and OS X.

~~~
khad
Nothing is changing for you. Apps and extensions are still getting updates,
and there is no plan to slow down. 1Password X is only for people who can't or
won't install the apps (Linux, Chrome OS, corporate restrictions, etc.).

------
vzaliva
Too little and too late. It took then _years_ to finally announce (partial)
Linux support. By this time most multiplatform users like myself tired of
waiting and switched to other password managers like LastPass.

------
BjoernKW
As a long-time happy customer of 1Password I have quite a bit of a problem
with them pushing their new hosted product. If you want to offer that as an
alternative by all means do but don't make it the only long-term option.

I would have no problem with paying a monthly fee or paying for every major
version (as I have done in the past when applicable) but I think for this use
case being able to choose where to host your data - or to not host it at all -
is much more justified than it arguably already is with SaaS products in other
areas.

1Password certainly know their cryptography but do they also know how to
secure servers and networks? I must say I trust Apple or Dropbox a lot more on
this matter.

In general, the tendency to build and provide every aspect of a service is
bothering me. Otherwise known as the Not-invented-here syndrome, which we
largely thought to have overcome with the Internet and the age of hosted
software, particularly Web 2.0 kind of SaaS offerings, this development
amounts to tight coupling and agglomeration of features that are secondary to
the benefit of the actual product at hand:

Why does every application apparently have to provide these features:

\- file hosting and serving

\- calendaring and event notification

\- messaging

\- PDF export

\- and most famously: Email ("Every program attempts to expand until it can
read mail.")

Why is it so hard to provide just the core features of your product and use
other products and services by providers specialising in those to implement
ancillary features required for building a product or service?

We still have to go a long way in terms of connecting with and building upon
other services, one particularly preposterous example of which I recently
encountered with a supply chain management process where a company used two
perfectly fine - if slightly aging - applications to keep track of different
but related data sets. In order to exchange data between these applications a
PDF containing the relevant data is exported from application A, sent via
email and finally manually entered into application B again.

The waste created by processes like this never ceases to amaze me.

~~~
AGKyle
Disclosure: I work for AgileBits, makers of 1Password

I hear you on this, but having years of experience using other sync platforms
and having to work within their unique solutions has proven to us that to have
the best experience it's best to have a solution designed for your
application.

Every sync solution has their own gotchas and dealing with it in 1Password is
incredibly tricky. I get the feeling that many people think sync is this easy
thing that takes a week and you're done. We are still fixing bugs in our
various sync solutions and they've been released to users for years.

Want an example of how each solution is weird for us?

Lets take Master Password changes as an example. If you want grittier details,
our blog post on the topic here gives a really nice overview:

[https://blog.agilebits.com/2015/04/28/how-1password-syncs-
ch...](https://blog.agilebits.com/2015/04/28/how-1password-syncs-changes-to-
your-master-password/)

But because of how Dropbox works, we have to:

1\. Change the Master Password on one device, let it sync

2\. Unlock the other device, let it sync, lock, then unlock again

With iCloud,

1\. Is the same as above: Change the Master Password on one device, let it
sync

2\. Unlock the other device with the new Master Password.

Very different behaviors and that's just two sync solutions. Adding additional
sync solutions would result in similar oddities between them.

This type of inconsistent behavior is very difficult to explain to users when
things go wrong. They don't want to know these details. They pay us to not
know these details.

We can't provide a consistent experience with other sync solutions. But we can
if we provide our own. Things work the way users expect because we can design
the solution to work like that because we control the entire solution.

This is just coming from a developer who has been doing support with AgileBits
for nearly 6 years. I was the last line of defense between our customers and
our users when they wrote in. I seen all the messy stuff that users can find
their ways into when things do not work how they expect.

I happily welcome our new solution because we can design 1Password in a way
that makes sense and is actually incredibly secure as well.

That said, if you don't like our hosted solution... have you tried it? If not
well... don't knock something you haven't tried. But if you have tried it and
don't like it I'd love to hear your feedback. Seriously. I welcome your
feedback if you have any after trying it. We love talking with our users and
finding ways to make 1Password better. We wouldn't be where we are without our
users.

Anyway, if you don't like our hosted solution we offer standalone licenses and
version 7 for Mac and version 7 for Windows will both be available as
standalone licensed versions with standalone vaults just like you're used to.
Nothing changes for users like yourself if they wish to continue using that
variation of options.

Kyle

AgileBits

------
plainOldText
I’ve been using 1Password for years, mainly because the data stays local. If
they decide to go full cloud-mode I’m switching to something else or just
write my own cli password manager.

~~~
AGKyle
Disclosure: I work for AgileBits, makers of 1Password

We've already announced that 1Password 7 for Mac will be available via
standalone licenses, and 1Password 7 for Windows will offer standalone vaults
and be available via a standalone license model.

So nothing is changing in that regard. Our 1Password.com is the default
solution we send our users to but standalone vaults are an option for those
that wish to continue down that path.

Kyle

AgileBits

~~~
RoXX1337
will 1Password 7 for windows finally have feature parity with the mac/ios
versions? It has been borderline unusable for years, I complained in the
forums like 2 years ago and all that has happened since then is that my thread
got deleted.

~~~
AGKyle
Feature parity is something that our Windows team will be working towards. But
you have to keep in mind that our Mac and iOS versions have existed for around
10 years. We last rewrote both of them for version 4 of each. 1Password for 4
iOS came out in late 2012, and 1Password 4 for Mac came out in late 2013.

Also keep in mind that both our Mac and iOS applications have a fair bit of
shared code. The entirety of their backend, cryptography, local database, and
plenty of other utility classes. This means we write something for one and the
other can often use it immediately. They're also by far our most popular
clients so we have the most people working on them.

Our Windows team has to try to keep up with that. So, as you can imagine they
have a lot of work to do. I would not say they will be feature parity
complete, more or less, ever. It's an uphill battle.

However, I think it's safer to say that with 1Password 7 they will have the
basics done that will allow them to start implementing more user facing
features to try to narrow that gap. There will always be a gap, but it can
certainly be a smaller gap.

We don't delete any threads on our forum unless they are extremely egregious,
so my guess is that the thread still exists unless you got out of line (or
others maybe did). But we have always acknowledged that our Windows apps have
had work to do.

With 1Password 6 for Windows we rewrote the entire client from scratch. It
used to be written in Delphi. The new client is written in C# and built on
more modern Windows APIs. We wanted to build for the future this time but we
also knew that it was going to set us back to square one.

So about two years ago is when we started work on 1Password 6. It has come a
long way, and with version 7 we'll see the return of standalone vaults and
standalone licensing for those that want to remain on that path.

Hope that helps some, I just want to set expectations accordingly. Our Mac and
iOS apps haven't stopped iterating, and our Windows application was already
behind by several years because of the rewrite, it also has nothing that it
can share code with, so it's at a disadvantage. We want feature parity and we
will likely reach that for the most common features but there will always be a
gap. As long as you understand the above, we're happy to field requests for
what you believe needs to be there that isn't already there (in version 6).

Kyle

AgileBits

------
jvzr
Reading some comments, I feel like I may be the only one here: happy, paying
customer. Had the standalone Mac and iOS clients, migrated to the Family plan
when it was announced. Couldn't be happier. I really, really am. Love the
1Password.com client which displays all it usefulness on a guest computer.
Can't wait to try out 1Password X, but unfortunately I've switched to Firefox
recently :(

~~~
AGKyle
Thanks for the kind words. Use the tool that works well for you. If that's us,
great, if not, great. We can't fault anyone for having a different opinion, so
long as that opinion is informed :)

Glad you're on our side though!

Kyle

AgileBits

------
dillera
Agile Keychain - 41.9 MB

Created Wednesday, September 2, 2009 at 5:15 PM

Modified Tuesday, November 14, 2017 at 10:02 PM

I really don't like the idea of ever putting all my passwords on a server that
requires Agilebits to run it. You guys are a dev shop. Let users keep their
passwords themselves and keep the stand-alone version (and extensions for it!)
going with simple version upgrade fees.

------
rynop
Anyone else having issues adding a second account? I goto chrome://extensions/
click on 1Password X "options" > \+ Add an acct. I then get prompted to login
to my 1st account, have no option to add a second account.

~~~
rynop
So found it - there is a "Sign in to another account" at the bottom of the
login page.

------
hobarrera
It targets Linux users, but is Chrome-only (and not Firefox support?).

That's a really really odd, step to take, especially considering both browsers
use pretty much the same extensions API.

------
petraeus
Soon 1 Password will be a pay2win model, micro-transactions for filling in the
password online. a second vault? that'll be 2.99 please

------
cdoxsey
The hosted nonsense and poor linux and windows support is why I switched to
enpass.

~~~
Nicksil
I'm glad you mentioned Enpass -- I hadn't heard of them. I'm currently a
disgruntled 1Password user looking to jump ship.

[https://www.enpass.io](https://www.enpass.io)

~~~
Mister_Snuggles
I've been using Enpass for a little while and it's working out really well.

The thing I like most about it is that they are not in the cloud business.
They have a list of seven cloud providers that they support for sync and let
you pick one (or none if you don't want to sync). They also support using
WebDAV/OwnCloud for sync if you want to do your own thing.

The other cool thing about Enpass is that it's available for all of the major
platforms. Having passwords synced between my phone, Linux computer, and Mac
is really nice.

------
nsudio
not sure if I am happy or sad to see Agilebits go this route

~~~
khad
It's not a change in direction. It's a broadening of the path. Apps and
extensions are still getting updates, and there is no plan to slow down.
1Password X is for people who can't or won't install the apps (Linux, Chrome
OS, corporate restrictions, etc.)

------
RyanShook
Shout out for Avast Passwords. Already does much of this for free. 1Password
and LastPass always really annoyed me with their freemium model. Avast
Passwords doesn't make you decide between controlling your passwords and
paying for basic features. Highly recommend checking it out:
[https://www.avast.com/en-us/passwords](https://www.avast.com/en-us/passwords)

