
Getting 1Password 7 ready for the Mac App Store - okket
https://blog.agilebits.com/2018/05/10/getting-1password-7-ready-for-the-mac-app-store/
======
cdumler
So, I'll join the chorus here by saying that I've picked up the subscription
fee.

I've been using their software daily for over three years. During that time,
they have consistently improved their product and have been open about issues
(as far as I am concerned). I was a little irked when I saw the subscription
model. I was like, "hey, I paid for this." So, I looked up how much I paid in
licenses by looking them up.. in 1Password. Turns out I paid about $40 for the
Mac, Windows, iOS, and Android clients. That's $40 over three years for
something that I use daily.

Then, look at the $5/mo subscription for families. I get something that gives
me access to all their software versions (Mac, Windows, iOS and Android) for
five people, my entire family (if my cat ever decides to get a computer). I am
a software professional. I pay for tools that keep me going and return me
money because they offer me productivity. I pay for Things, Bear, iThoughts,
and may other apps that have helped me greatly.

One important statement I make to people is: _the price for security is
eternal vigilance_. There are always new ways things get attacked and new ways
to be more secure. I realized that I was gladly willing to pay $60/year to
keep me and my family going while keeping AgileBits running as well. If there
was anything that deserves a subscription, it is your security software. If
its any consolation, several of my developer friends feel the same way.

My two cents.

~~~
archagon
As time goes on, I've gotten less and less comfortable using proprietary
software for critical tasks. If 1Password were open source, I'd actually be
pretty happy to subscribe. But as it stands, I have no faith that the product
won't change out from under me in the future, whether due to a pivot, an
acquisition, or some other reason. The incentives align in favor of the
business, not the customer. IMHO, subscriptions are already pointing in that
direction.

I'd rather use something like pass and deal with the downsides. (Though I
admittedly haven't switched yet.)

~~~
samatman
For me, something related: can I remove the data in a usable form? 1Password
makes that easy, so like others here, I'm happy to pay them to perform the
'eternal vigilance' that secret-keeping entails.

~~~
Nullabillity
For now...

~~~
facetube
Removing the ability to get your own passwords out of your password management
utility that you paid for would be corporate suicide.

~~~
iuguy
Crippling it, not so much.

I moved away from 1password at the time of the subscription palaver. I managed
to move everything to Keepass but each entry has it's own folder.

I don't blame 1Password for the state of my Keepass db (although they pretty
much forced my hand) but the closed nature of 1Password does bite you in the
arse when you decide to leave.

~~~
brightball
I switched from 1Password to LastPass last year and it was a smooth
transition. If they’d had a Linux version I’d still be a customer right now.

~~~
facetube
We evaluated Lastpass about a year ago and the UI was borderline unusable.
Doesn't matter so much for technical teams, but it does in broader use cases.

~~~
brightball
What did you settle on? It’s basically just a browser extension.

------
xoa
I at least partly blame Apple and the MAS being such piece of shit for
accelerating some of the sub trends we're seeing on the Mac now. It's really
such a genuine shame, because in principle the MAS really could be an
excellent idea, a way to unify and simplify a pain point of Mac use and boost
security at a few levels without a need to alienate anyone or not support
anything. Instead Apple had to make it an artificially pointlessly limited
collection of tradeoffs and mediocrity.

In particular AgileBits is right about the missing upgrade pricing system
really being a bummer. To this day Apple's decision to remove that remains one
of the most perplexing decisions of anything they did with the MAS (or iOS App
Store for that matter). The basic idea of paying just for marginal value added
since original purchase whereas new purchasers are paying for the whole
package from zero is an efficient, sensible and sustainable one that has
supported the software industry well since the very beginning. Ongoing support
of software costs money, particularly when Apple has made it another principle
of theirs to be aggressive about pushing the platform forward vs backwards
compatibility. No upgrades (or volume discounts or anything else) is still
such a mind blowingly stupid decision in every respect. It's forced developers
to make some tough choices unnecessarily, and IAP and subs are one way to go
at it.

~~~
danieldk
_I at least partly blame Apple and the MAS being such piece of shit for
accelerating some of the sub trends we 're seeing on the Mac now. It's really
such a genuine shame, because in principle the MAS really could be an
excellent idea, a way to unify and simplify a pain point of Mac use and boost
security at a few levels without a need to alienate anyone or not support
anything._

I agree. Many of the applications that have moved out of the app store (e.g.
Dash) have also ditched sandboxing.

Going back to the situation where every application can read your whole home
directory is a large regression.

(Of course, non-MAS apps can also be sandboxed, but many developers do not do
it.)

~~~
bwoodruff
1Password 7 for Mac is sandboxed, regardless of where you download it from.

Ben Wooodruff

AgileBits

------
makecheck
There are at least two elements to software maintenance: one is adding truly
new features, and the other is making stupid changes just to keep old features
working as they always did (often due to platform or hardware changes,
_especially_ with Apple!).

I see Apple coughing up none of the costs that they _create_ by regularly
fiddling with their platforms and hardware in breaking ways, yet that is a big
reason why software can’t be sensibly “bought once”. Now they’ve come up with
a scheme where they not only don’t give developers discounts for maintaining
software but actually take yet another cut.

Don’t judge developers too harshly.

~~~
Mister_Snuggles
> There are at least two elements to software maintenance: one is adding truly
> new features, and the other is making stupid changes just to keep old
> features working as they always did (often due to platform or hardware
> changes, especially with Apple!).

I'm OK with the model that VMware is using, at least on the Mac.

You buy version X, you have version X. Version X gets updates for some amount
of time. Eventually, a Mac OS upgrade makes version X no longer work, so you
have to pay an upgrade price to upgrade to version Y. There is no
subscription, but there is regular income to the company to make the updates
you describe.

~~~
pfranz
I like that model, too, but at least for something like 1Password I can see
two issues. You'll have people using older versions with possible security
vulnerabilities. If you're using hosted passwords you have to deal with
dealing with multiple versions of the client indefinitely (although, you'll
probably have to deal with a bit of that anyway)

~~~
Mister_Snuggles
When you include the hosting service, having a subscription (since you're
providing an ongoing service) makes perfect sense. In this case, so does also
forcing the current version.

~~~
pktgen
I agree that subscriptions make perfect sense for services (because servers,
support, etc. cost money on a monthly basis), but the trend seems to be to
create an arbitrary reliance on a hosted service as a way to justify
subscriptions. Luckily 1Password hasn't totally gone that way yet, since they
still offer standalone licenses for local vaults, but I feel like it's the
direction they're going.

------
0culus
Although it's been said that they will continue supporting licenses through
their website, they have made this feature _extremely_ difficult to find ever
since introducing subscriptions. I've been a loyal user of 1Password for a
long time, and I think it's great software. I use it on both my Macs, as well
as on my iOS devices.

However, hiding the non-subscription feature is silly. I do not wish to add
yet another subscription (especially something so crucial as my what manages
my passwords; I need [edit] it to work, no questions asked), and I would be
more than happy to purchase a new license for 1Password 7.

~~~
roustem
Most of the HN users reading this thread do understand the difference between
licenses and subscriptions. It may seem strange but this is not the case for
the vast majority of the users. We have customers emailing us about having a
1Password account/subscription since before 2015 (when we only had licenses).

We originally started with offering both licenses and subscription as equal
options. Here is how it looked:
[https://web.archive.org/web/20160420141241/https://1password...](https://web.archive.org/web/20160420141241/https://1password.com/pricing/)

There was a lot of confusion with this design because people simply had no
idea what to choose. It is ridiculous but we had many hundreds of customers
purchasing both.

The subscription is a better option for most of our users because it takes
care of so many things:

\- no need to purchase separately on every platform

\- no need to learn the difference between iCloud and Dropbox sync, and why
sharing is not possible with iCloud option

\- no need to learn how to set up a shared Dropbox folder

\- no need to worry about backups when your computer or phone dies

\- and more

Many of our long-time customers still use licenses and are happy with the
existing setup and we want to keep them happy. This is the main reason we keep
the licenses going and releasing new version for Mac and Windows support for
licenses and standalone vaults.

~~~
ketralnis
What is the future of dropbox sync between desktop and iOS? Am I right in
assuming that since you keep only mentioning iCloud that it won't be possible?
I can just decline to upgrade the desktop client, but I can't just choose to
ignore updates to the iOS client.

~~~
AGKyle
We just recently, as of version 6.8 I think it was, updated the Dropbox SDK to
work with their newest API version.

There are no plans to remove Dropbox support. Especially not after we spent an
entirely non-trivial amount of time getting the SDK updated.

Kyle

AgileBits

------
spv
I have been using Bitwarden for some time now. It’s an open source password
manager. There are apps for all major platforms and extensions to all major
browsers. Checkout [https://bitwarden.com/](https://bitwarden.com/)

~~~
ringshall
To be precise, their base software is Free software, licensed under the
AGPLv3. The also distribute non-Free (and non-Open Source, and non-gratis)
software.

Their base software has an artificial limit in terms of number of users and
number of 'collections', which goes contrary to the ethics of Free software.

~~~
shadowmint
How can this be an issue if their base software is open source? Just recompile
it with the numbers upped, surely?

~~~
daveFNbuck
Your passwords are stored on their server. You'd have to compile and run your
own server, which is more expensive than the $1/month they're asking for.

~~~
Xylakant
So you’re paying for the service they offer: a hosted version. You do so
because it’s cheaper than hosting your own. There’s no conflict at all with
any open source ethic.

~~~
daveFNbuck
Yes, that's exactly what I was saying.

------
AdmiralAsshat
So remember when 1Password claimed it was superior to LastPass for only
requiring you to pay a one-time fee and _not_ storing all of your stuff in the
cloud?

Good times.

~~~
shinratdr
To be fair, it still does all that stuff.

I get that these moves make people nervous, and rightfully so. But as it
stands every version of 1Password in active development (not including
maintenance mode):

* Can be licensed standalone.

* Supports local & Dropbox vaults.

* Was released within the last year, actively supporting those features.

The only feature they’ve actually killed off (by not baking into future
clients) is WLAN sync. This is a regression for some, but personally I always
found it super impractical.

I agree that how they are going about this doesn’t inspire confidence that
these features will remain in the product, but to some extent it does.

While they downplay the hell out of it, 1Password 6 for Windows was a ground
up rewrite that ditched local vaults and standalone licensing. Those features
were reintroduced in 1Password 7 for Windows, which is a pretty big backtrack
for them and requires renewed development effort.

AgileBits doesn’t always make the right decision. They develop opinionated
software, like most good developers. However, just like the MAS-only decision
they made with 1Password 4 and stood by for some time, eventually they do
right by their customers.

1Password 7 for Windows is a great example of that. As much as they would love
to go cloud only, they heard the feedback and brought back those two key
features. At this point, I can’t expect much more than that.

~~~
kobayashi
Are you sure they’ve killed WLAN sync??

~~~
shinratdr
They’ve announced it will not be built into the Windows client as they would
have to rewrite it for the new codebase.

It’s still available for the Mac client, but they’ve essentially said they
won’t be supporting it in the future.

~~~
kobayashi
How far into the future? 1Password 8?

------
bpicolo
While I could understand people being upset about this, I pay for a 1password
family subscription. It really is a terrific investment. As far as
subscription services go it's about the best bang for my buck that I get. A
sustainable service model is important for something I rely on so much -
especially something that needs to keep on security lockdown.

Also makes it easy for the family to share hulu, netflix, whatnot.

~~~
DavideNL
I wonder if it's so much better than for example Bitwarden for families, which
is $1/month. ([https://bitwarden.com](https://bitwarden.com) )

Also, the switch to the "1password cloud", instead of the already _freely_
available iCloud/Google Cloud/Dropbox etc, just seems like a move to make
people believe their expensive subscription are justified. There was
absolutely no demand for a "1password cloud".

This entire push to subscription-hell makes me sick...

(i've had 1Password paid versions, OSX & iOS, for like 7 years btw.)

~~~
roustem
If you look at 1Password features, a lot of them are simply not feasible to
implement without having a server-side component. Most of them revolve around
sharing, permissions, automatic backups, account recovery, 2FA, etc.

Vault sharing is simply impossible with iCloud. Sharing with Dropbox requires
manual set up of shared folders.

~~~
NLips
If you don't have a server-side component, you already have 2FA - your
password and your non-syncing device.

~~~
bwoodruff
This is a very good point that most people fail to understand. We get frequent
demands to add 2FA to standalone vaults... the best we can do is try to
explain.

Ben Woodruff

AgileBits

------
cygned
I really like 1Password, it has been my daily driver for years. The creators
gifted me versions for macOS and iOS years ago, so I never had to pay for it -
which I would have done happily and, in fact, just recently did.

But the push to the cloud versions gives me headache. I don’t want to sync
using their cloud - I actually sync using a WiFi server. While it’s (still)
possible to obtain the standalone versions, it’s difficult to find them. And I
expect that in a few years, they’ll be gone completely.

I am looking into Bitwarden at the moment as a self-hosted alternative but I
haven’t decided yet.

~~~
akerl_
It's worth noting (and not super obvious because of their marketing) that
"getting a subscription" and "using their cloud sync" are not a mutual
requirement. You can pay via subscription and continue using local/Dropbox/etc
vaults.

This part was super confusing to me until I dug deeper when a friend upgraded.

So the primary impact of switching from standalone license to subscription, if
you're planning on using 1Password for a while, is that instead of paying a
larger chunk of money every so often when they drop a new major version, you
move to paying a flat couple bucks a month or larger chunk per year.

~~~
kalleboo
The developer's comments on the article contradict what you're saying:

> 1Password 7 from the Mac App Store will only support our hosted service, as
> that’s what you’re purchasing with a 1Password membership. If you install
> from our website, you’ll have to option to use a standalone vault synced via
> iCloud if you purchase a standalone license, or use our hosted service if
> you purchase a 1Password membership.

> As it stands, though, how you purchase 1Password is intrinsically tied to
> where you store your vaults and how you sync them

~~~
Groxx
It's super frustrating how vague and contradictory they're being about this :\

I understand why they're subscription-only for the mac app store, as a way
around its insane lack of pricing flexibility. Makes sense, fully support,
etc. But they seem to be continually pushing the non-cloud options further and
further away from visibility :|

~~~
Groxx
Late update: I asked on twitter, got an answer:
[https://news.ycombinator.com/item?id=17115334](https://news.ycombinator.com/item?id=17115334)

Subscriptions will _only_ support cloud sync, not local.

~~~
AGKyle
Sorry for the confusion. This is simply incorrect and I need to hunt down who
is saying otherwise and get this fixed on our end.

If you have a subscription you can create standalone vaults outside of your
subscription and sync those using iCloud, Dropbox or WLAN sync if you wish.

This behaves the same in version 7 as it did in version 6.

Kyle

AgileBits

~~~
kalleboo
The first reply on the top comment of the official blog post says "1Password 7
from the Mac App Store will only support our hosted service" so you should
probably start by correcting that...

~~~
AGKyle
Thanks, looking into addressing that now.

Kyle

AgileBits

------
tgb
Can I use this space to ask how people actually use password managers on
mobile? I got LastPass recently and put on it a good secure "correct horse
battery staple"-type password. So now when I use accounts on my phone I have
to type _that_ password instead of my short, randomly generated, reused-all-
the-time password. This means I'm more secure (no password reuse) but typing
30ish characters without error into my phone is tough! It usually takes me
three tries and every time I curse my new password manager.

But the alternative seems to be staying logged in to LastPass which means it's
just my four digit phone pin to get access to everything. I mean, I guess if
someone takes my phone and bypasses my PIN then I've already lost basically
everything. But at least I wouldn't also be signing them into my bank account.
My phone doesn't have biometrics which I think would be my compromise if it
had them.

~~~
cschmittiey
If you're on Android 8 or above (yes, I know most people aren't) there's
support for password managers filling passwords in almost any app. Some apps
aren't well built and don't support it. As far as I can tell, it's not
something the developer has to explicitly enable support for though.

Anyways, I use the Bitwarden app on my S8 (and previously HTC 10) and it works
great. I tap a password field, Android asks me if I want to fill the password,
I unlock my "vault" with my fingerprint, and tap the right account for that
app. It's pretty easy.

LastPass and Bitwarden also can hook into accessibility features on Android 7,
to enable most of the same features, but since it's not part of Android and
baked in it doesn't work quite as well.

~~~
karimf
Hey, thanks for telling. I've been using 1pass on android since a long time
ago, and autofilling username and password is a real hassle. In the past the
only way to do the autofill was to use the 1password keyboard, which is
inconvenient for me to change keyboard every time filling a password. But I
just try the new autofill feature on the Android 8, and it works like a charm.
It supports autofill on native apps and webpage via Google Chrome as well.

------
greggarious
I've been using KeepassXC (KeePass w/ macOS GUI elements) and enjoying it.
It's a little simple (you just copy and paste the PW). It doesn't do fancy
autofill but there's support for pretty much every OS.

(I use Spideroak to sync the DB across devices)

~~~
tajen
Guys, why not Keychain, the default password manager of macOS?

~~~
pvg
iCloud Keychain is Safari-only.

~~~
ben_w
Not any more. I can access keychain passwords in Chrome on iOS.

~~~
pvg
It's Safari-only on macOS, as far as I know. It does work with iOS apps and it
doesn't work on Windows. It can't replace a password manager unless you use
Safari on macOS as your primary browser.

~~~
ben_w
On macOS, _Keychain Access.app_ (built in) can be used as a stand-alone app to
generate and store passwords.

WFIW I’m using a plain text file in an encrypted disk image, because I started
before I found out about _Keychain Access.app_ , and I never actually trusted
third party apps for security reasons and possibly paranoia, so I can’t
compare UX quality, but it is available in a form on the desktop.

~~~
pvg
The purpose of a password manager is some kind of multi-device password
sharing. Plain macOS keychain doesn't do that at all. There are certainly ways
to manually emulate parts of the behaviour of a password manager, whether it's
with Keychain Access or post its in your wallet (or various combinations
thereof). Password managers are about automating all that.

~~~
ben_w
It _is_ multi device though. Sure it’s Apple only, but it’s _all_ my Apple
devices, macOS and iOS (I don’t have a watch or a TV), not just wherever the
password was created.

~~~
pvg
It's not. Keychain is not synced across devices. iCloud keychain, a separate
service, can sync parts of keychain.

iCloud keychain is a perfectly reasonable (and as a UI, probably better than
anything else) password manager iff you use Safari as your main browser and
all your other devices are Apple devices.

~~~
ben_w
OK, that’s something I didn’t know, and I may be missing something from such a
silly name overlap. However, I do have items in _Keychain Access.app_ which
are from iCloud. What gives?

~~~
pvg
Keychain Access lets you view your local keychain (i.e. your device's secure
trust store). If you have iCloud keychain turned on then certain parts of your
keychain will be synced across devices so you'll be able to find, say, a web
password you generated on your phone on in your Mac's keychain (via Keychain
Access and otherwise). The terminology is a bit confusing, that much is true.

If you can live within the constraints of iCloud keychain (the Safari/Apple
devices thing, don't need stuff like 'team sharing, etc) it's arguably a
better solution than 1Password.

------
rmorey
Why are people so vehemently opposed to the 1PW cloud sync service? For
unenrypted data, I completely understand this. And in general, it's great to
have the option to sync using whatever service you want. But the data that 1PW
stores is encrypted up the wazoo and AB couldn't extract your passwords from
it even if they wanted to. In their security document they even outline how
useless it would be for a bad actor to even _steal every bit of data they
have_. And if some day their data center suddenly explodes and all that data
is lost, your data is cached on all your devices anyway, and it's trivial to
just export to another password manager.

Am I mistaken?

~~~
nighthawk1
I’d rather control the data myself. I view cloud hosted password providers as
huge attack targets and they generally get hacked eventually (roboform,
lastpass,etc). At least if you control where the data is stored your data can
be kept off the radar so to speak.

~~~
y_molodtsov
As far as I remember nobody really had any problems after the LastPass hack,
since the data was encrypted anyway?

------
nsarafa
I lost faith in 1Password when they forced me into the subscription model
despite paying full price for the product years ago

~~~
SirensOfTitan
I don’t really get this perspective. You can continue using the version of
1Password that you bought without issue. The expectation that your purchase
years ago should entitle you to updates forever is pretty ridiculous.

~~~
Barrin92
when utility or productivity tools are offered at a fairly steep price point
as 1password was people usually have a reasonable expectation to receive long-
term upgrades.

It's not ridiculous at all because it generally is the norm.

~~~
SirensOfTitan
I spent around 45-50 dollars in 2013 for the Windows+Mac Bundle and iOS apps.
1Password 7 is the first paid in my experience using the software, which is
vital to me every day.

Roughly 10 dollars a year for a critical utility software isn't "fairly
steep," and I also fail to understand how so many years of free updates imply
any type of "reasonable" expectation of long term updates.

~~~
Barrin92
it's pretty steep in comparison to the alternatives in the market. What does
1password offer that the free version of lastpass does not?

~~~
roustem
Better security and better user experience to start with.

Unlike most of competing products, 1Password encrypts pretty much all
information, including vault names, item titles, URLs, tags. It is easier to
list what's not encrypted. It is also probably the only product using SRP.

Now check out what information is sent in plaintext or base64-encoded in other
products.

~~~
Barrin92
As far as I am aware lastpass and keeper are the only two password managers to
receive soc II security reports.

Also I'm pretty confident the entire lastpass vault is encrypted locally as
well.

~~~
roustem
1Password service has completed SOC 2 type 1 and 2 certification as well. It
is more about internal company processes and how they are followed than
encryption.

"Hey your data is safe just because we have SOC 2 certification" \-- that's
not want you want to hear.

About vault being encrypted locally: [https://hackernoon.com/psa-lastpass-
does-not-encrypt-everyth...](https://hackernoon.com/psa-lastpass-does-not-
encrypt-everything-in-your-vault-8722d69b2032)

------
PakG1
With all these subscription-only apps that are proliferating, I am curious how
many enterprising app developers would be interested in making and marketing
"cloudless" apps that rely on up-front high prices for revenue, but
neverending free updates (mostly bug fixes, I would hope). With GDPR, this
seems like it would be actually be easier to deliver.

Of course growth numbers may suck, given how hard it is to make it for any app
these days. Long-term growth would probably actually not be sustainable
because if it blows up, there is no additional revenue down the road from lack
of subscription, and also no network effects to power exponential growth in
terms of market share. As far as I can tell, if you're not going to do
subscription, there's no way to force users to pay to upgrade to a new version
(new features) in the Apple App Store, not sure about Google Play. Your only
option is to maybe create a new separate app that's able to import data from
the old app, but that seems tacky to me. So, this really wouldn't be a big
long-term play at all. But I imagine that there must be short-term markets out
there willing to pay for apps that don't keep their data and usage hostage.

I'm myself thinking of making an app like this for budget tracking, just
because I haven't found any out there these days that don't require
neverending subscriptions and also fit my unique needs. Cloudless is also fine
for me, as my phone is storage enough, or if it isn't enough, maybe use my
iCloud storage, Dropbox storage, Google Drive, OneDrive, etc for holding the
data? Besides that, it'll finally give me the kick in the behind I need to
finally learn Swift, which I've been meaning to do for a while. Alas, I
imagine cost of customer acquisition may be too high to make even a short-term
profit.

So... would this just be a small project for me to prove I can learn Swift and
show future employers that I can make smartphone apps too? Or is there
actually a real business here and in so many other niches because some people
hate being locked into subscription fees? Curious if anyone else has some
thoughts.

~~~
codetrotter
> I'm myself thinking of making an app like this for budget tracking, just
> because I haven't found any out there these days that don't require
> neverending subscriptions and also fit my unique needs.

Did you try GnuCash? It's not user friendly but a friend of mine swears by it.

[https://www.gnucash.org/](https://www.gnucash.org/)

~~~
geff82
This software is slow and a real pain to use for anything else than personal
finances or the 12 bills a year you write as a contractor.

~~~
TomK32
I moved from GnuCash to hledger. And while I did use both for the 26 bills a
year I write as a contractor, I also had all my personal finance in both.
Expenses are more like 12 or 4 (the big ones) a month and control was really
necessary.

What you'll like about hledger and legerCLI is a) the undo function of your
favourite text editor and b) separate files that you can include into a master
c) awesome reports on the terminal.

------
jarym
The reason I won’t go for a subscription is because I don’t want to find
myself locked out of my password manager if I stop paying the subscription.

With IntelliJ (JetBrains) I get perpetual fallback and that makes me super
comfortable with a subscription model.

Will AgileBits offer perpetual fallback? I doubt it. Their product works well
but their marketing team are a let down.

~~~
ixtli
Thank you for this comment. JetBrains subscription also drops in price over
time to reward you for continued patronage. It's the only subscription model
i've ever been comfortable with.

------
hs86
I hate subscription models but with 1PW 7 I would have to pay +40 € for each
the Mac and the Windows version and still have not access to new features like
the travel mode or the CLI client.

AgileBits seems to be an honest company and they went the extra mile to
backport some new features (TOTP) to their dated 1PW 4 codebase. I will give
them the benefit of the doubt and try their subscription and should they ever
turn 'evil', I know that alternatives like Bitwarden or Enpass are available
and ready to import my 1PW vault.

~~~
roustem
Thank you, @hs86. We will not let you down!

------
senthilnayagam
I did not pay for a subscription software, I bought a password manager which
stored password locally.

I also don't want to pay for a upgrade just because apple upgraded the OS.

I now only buy mac software on Mac App Store.

Apps which I have not renewed include 1password, screenflow, textmate, vmware
Fusion,

Paid Products I wish were on Mac App Store with free updates. Sublime, Paragon
NTFS , printopia

~~~
dingo_bat
So you want perpetual free updates? I think your expectations might be a tad
unrealistic.

~~~
Casseres
It should be built into the initial price. And perpetual is unrealistic, but
10 years is not.

Microsoft provides 5 years of Mainstream Support and 5 years of Extended
Support at no additional cost (cost is built into the initial license fee).

Heck, I would more trust software that says 10 years of garunteed support
rather than lifetime support. Too many companies fudge the meaning of
"lifetime", and 10 years blows Google's 2 + 1 years of Android support out of
the water.

~~~
nqzero
there's a huge difference between supporting the version that they sold you
for a specific version of ios and writing a new version to work with future
changes to ios (which they don't in any way control)

~~~
josteink
Not really. As an iOS user I am forced to update the os for software to be
supported and receive new security updates.

That Apple makes previous versions of my installed software incompatible when
I do upgrade should not be my problem.

(That said, I agree there is a problem here, and I think Apple should
ultimately be the one who fixes it)

~~~
y_molodtsov
No, they shouldn't, they should throw away legacy code as they've been doing
ever since.

------
robteix
I have a family subscription of 1PW. I can easily share some password with my
wife and our daughter is getting used to using a password manager before she's
10.

I totally empathize with those who refuse to use cloud/subscription services
as, let's face it, there are a lot of bad actors doing crappy things with our
data.

But for me 1Password seems like a small, honest company providing great
quality service and software. I'm a happy customer.

~~~
gergles
> But for me 1Password seems like a small, honest company providing great
> quality service and software.

Yes, I imagine because they have carefully crafted that image through blog
posts and impression management. They have over 70 employees to write a
password manager. _70!_

~~~
roustem
We are actually more than 100 people now. A big part of our team is dedicated
to customer support. After all there are over 15 mln 1Password users and we
get several thousand emails per day. There are over 30,000 businesses using
1Password.

We have designer and development teams for Mac/iOS (Objective-C, Swift),
Windows (C#, .NET), Android (Java, Kotlin), browser extensions (JavaScript),
1Password server (Go), 1Password web client (TypeScript, ReactJS), command-
line client (Go), SCIM/LDAP integration (Go, Docker, Kubernetes), and a ton of
other smaller projects.

There is a Security Team that does security reviews, works with BugCrowd
researchers, and does SOC 2 compliance. DevOps team works with AWS and Google
Cloud.

We want to do more. We are hiring :)

------
dvcrn
I love 1Password and immediately bought a standalone 1P7 license when they
started with the beta.

I agree with some others that they bury the hell out of the standalone one and
want people to go for the subscription, but as long as I still have my
standalone one, I am a happy customer. 7 looks and feels great, and for a
software that I used for years and years since I first bought my license, this
upgrade felt justified.

I in no way felt I had to upgrade though and could have just sticked with 6.

My only worry is that with 8, it might become subscription only for good...
(Please don't!!)

------
mychael
1Password does not care about loyal users who have been there since the
beginning. They care about getting new subscriptions. Fair enough, I'll just
take my business elsewhere.

~~~
bwoodruff
I’m sorry we’ve made you feel that way. What is it that causes these feelings
for you? I certainly won’t deny that we feel strongly that for the vast
majority of customers membership is going to provide the best experience, and
so that is primarily what we talk about. But we’ve done a fair bit of work to
keep standalone vaults and licensing.

Ben Woodruff

AgileBits

------
preek
Good timing that I moved all my passwords from 1Password to Emacs and GPG one
year ago. It’s a pity; I’ve been a very happy customer for a long time, had
licenses for multiple machines and was happy enough to pay for the updates.

But my data shall be my data, again. I’m not paying for an app that I
regularly have to buy an upgrade for and which doesn’t give me the opportunity
to hold my data locally after explicitly having this as a selling proposition
for many years.

~~~
akerl_
People keep bringing this up, and it feels like a major failure of Agilebits
marketing approach.

The subscription service changes the frequency at which you pay Agilebits; it
does not mandate how you store your data. 1Password 7 continues to allow all
the kinds of local/Dropbox/etc vaults that prior versions allowed.

If somebody at Agilebits is reading this thread: look around at these
comments. The lack of clear information about local storage in the
subscription model is causing massive levels of customer concern.

~~~
danieldk
I think it is likely that they want to hide this option, as they have hidden
the standalone version. I think their long-term plan is to have everyone on
their subscription with data stored in the 1Password cloud.

This reduces support and development load (no need to support
local/Dropbox/Wifi sync with all its edge cases) and guarantees montly/yearly
payments.

~~~
roustem
The support and development load is indeed much higher when it comes to
standalone vaults. There is an infinite number of scenarios out of our control
when it comes to Dropbox and WLAN sync. Several times in the past we had
support inbox at over 10,000 emails waiting for response.

If AgileBits was VC-funded then we would have to drop standalone vaults, no
doubt. It is a good thing that we are not. We do care about our long-time
customers and will provide standalone vaults for as long as there is demand
for them. Just please do not ask us to make it a default option.

------
drivingmenuts
I'm glad they're at least offering non-subscription licenses. I hate feeling
like I'm having to buy the software over and over again, just to get security
updates.

While 1Password works better than the rest of the pack, they're not exactly a
fountain of new, needed features.

~~~
mtkd
I've used 1password since 2010 when I paid $69.95 for a family license.

It seems to need upgrading for each new version of OSX - but I still only use
the features now that I used in 2010.

------
eecc
I’m very happy with Safari and the macOS keychain app. Indeed if apple allowed
access to un-sandboxed apps I’d be happy to share with Chrome

------
sgeisenh
This just reminds me how excited I am for passwords to be replaced. We
shouldn't need a third party application as an authentication shim for every
service that we use. The high lock-in on password managers is also unnerving.

------
lancewiggs
Sending any information to Agilebits besides payment requires a whole lot more
trust - and stuffing over customers was not the way to earn it. So no - I
don’t trust them anymore.

I’ve reccomended 1password to hundreds of people, so it’s sad to see the
decline. I would and did accept a simple annual new paid version - but the
upgrades seemed to to remove/hide the basics like Dropbox sync or one location
for passwords.

So now there is a gap in the market for a paid easy to install and sync
password manager that makes it trivial to store data locally. Surely they are
a lot easier to create now?

------
jsgo
At this point, I'm not upset about this as I previously subscribed, but I'm at
the point now where I'm thinking of bolting because it has become a pain. At
this point, I just need to find something that is secure, portable, can be
backed up, and cross platform.

The syncing experience since at least 6 has been spotty between my Windows
client, my iPhone, and my iPad. I can't tell you how many times I've had to
reset a password because the device I was on didn't have the current gibberish
password. Maybe I'm holding it wrong, but using the create login -> password
generation bit does not sync at all. There's also the issue that every time I
shutdown my Windows PC, I am greeted with an alert that AgileBits.1Password
(there's another dot-separated part in the name as well, not sure what or
specifically where) there was some issue in it that I have to close to
shutdown.

With all that being said, I don't think Agile Bits is a bad company or that
the subscription model is evil or anything of that nature. I think they're
pretty decent people that are trying to keep the company profitable and alive.
Paying for updates for password managers probably isn't the sexiest business
model on either side of the equation. I _would_ prefer that once I pay for it,
it could function at that level (with maybe bug fixes) leveraging DropBox,
iCloud, OneDrive, whatever, but I also understand they felt the need to cut it
off and keep it relatively simple. It just isn't for me anymore.

~~~
bwoodruff
Thanks for taking the time to share your thoughts. I understand your
perspective, and I’m sorry to hear that ultimately 1Password did not work out
for you.

One of the primary reasons we built 1Password memberships was because of
difficulties faced by customers in syncing with 3rd party services, and
difficulties faced by our customer service team in troubleshooting those
services (often black boxes).

Ben Woodruff

AgileBits

------
SomeHacker44
I would be okay with the subscription plan if they would allow for a permanent
license after the subscription ends. Something like what JetBrains did. I was
going to drop using JB software until they added that feature, and now I am a
happy ”subscriber.”

I feel what galls people is that we buyers have nothing to show after ending a
subscription, especially if we are not using anything “servicey” about said
subscription.

~~~
heimidal
You can just buy a license to 1Password whenever you want, though... it’s not
subscription only.

------
alexnewman
I still have no idea why people don't use pass. I put my trust in gpg and git

~~~
mychael
link?

~~~
Spivak
[https://www.passwordstore.org/](https://www.passwordstore.org/)

------
drej
I honestly can’t remember when I last paid for 1Password, yet I use it on my
Mac and iOS devices (since 2011 it seems!). It never prompts me, it just
works. I don’t follow the pricing policy changes, the only thing I know is I
don’t want a subscription. I just want to pay for this great piece of
software.

So I hope this just means I’ll shell out $50 or so and be done for a few
years? If so, then great.

~~~
Bud
It doesn't mean that, they are aggressively making sure it will never mean
that again, and it definitely won't be fifty bucks for a few years. (It's
$36/yr.)

~~~
majidazimi
Office 365 gives you a full office suite (including outlook) + 1TB of online
storage + 50GB ad-free mail for 70$/year. According to complexity rules,
1Password shall ask for 36$/century.

~~~
heimidal
This isn’t even a reasonable way to compare product pricing. Xbox Live Gold
costs nearly as much as Office 365 Personal annually, and it is barely useful
unless you own games to go with it. Or we could compare Office 365, at $70, to
Apple iWork, which is free. Sure, Office has more functionality, but does it
have _infinitely_ more?

------
isarat
I was skeptical about going for subscription. I started when I travelled
abroad where I followed Basecamp’s travel tips (handbook). Things have changed
when I started using 1Password 7 and 1Password X. The apps is very polished
and pretty handy. I use Linux a lot these days and 1PX and CLI is very
helpful. Never regretted the cloud update upgrade.

------
awesomepeter
An alternative which lets you host your data is Enpass. I've been using it but
I'm not sure how secure it really is.

~~~
sigzero
> I've been using it but I'm not sure how secure it really is.

Then why use it? That seems like an important detail for a password manager.

------
vbezhenar
1Password for Mac and iOS worked flawlessly. But I recently migrated to
Windows and installed 1Password 6 for Windows. It's just bad software. It's
not responsive (I'm pressing "Save" and it works for a second or two, while
I'm expecting it to respond instantly), it has some obvious UI bugs, but worse
of all, it crashes very often, I don't remember a single program that crashes
so much. It just feels very unpolished. I'm waiting for 7-th version to try
it.

I thought about BitWarden but I don't really like its technologies. It uses
.NET for server which is not very native for Linux. It uses JavaScript for
client which I don't like at all. I wish it used something like Go or Java for
server and .NET for client.

So far my primary candidate to switch is KeePass. I don't like it a lot, but
at least it works and it's reliable.

~~~
xxkylexx
.NET Core is just as native as Java on Linux...

~~~
vbezhenar
I happen to be Java developer, so for me personally Java is fine. But yes,
something like Go or Rust would be even better.

------
mark_l_watson
1Password is a good product - I used it for a trial period a few years ago. I
ended up going with SpiderOak's Encryptr: open source and free.

In any case, I try to get family and friends to use a password tool like
1Password, Encryptr, etc. It drives me crazy when people re-use the same low-
entropy password for everything.

------
ggm
There is a non-subscription, licence-purchase model. They basically obfuscate
it, (ok: kinder is "don't market it strongly") But there IS a licence model.

So mainly, the issue is how "hard" they make it to find. That, and the 'dont
be evil, but hey, we changed our minds a bit' aspect to what was said in the
past and now emerges.

The APP store doesn't help, but I think its ass-backwards to use that to
"sell" the subscription model. Honestly? I could come into this now and not
care, but as a licence holder, the way its being done irks me.

Just make it easier to find the licence option on the web page and in your
apps, and I'll be good.

~~~
AGKyle
Making it easier to find is a double edged sword and the reason why it's
harder to find now.

If we make it easy to find it will cause confusion for users about which to
get. When we did this in the past we had a lot of users who thought they had
to have both and as such would purchase both. This led to a lot of refunds on
our part and explanation for which they should get.

Turns out most users are perfectly happy and will benefit greatly from the
subscription side. This site and a couple of other places being the exception
to this as many of you seem to prefer licenses which means this aggravates you
all, but for the average person the benefit greatly from the subscription side
and it's the one they often choose when we explain the benefits of each.

So making it easier to find puts that problem back on the table and quite
frankly, it's something I'd really personally rather not deal with like
before. It's easy to say differently until you have hundreds of users at any
given time looking for help with what to buy or you accidentally find out they
purchased both while helping them with some other unrelated thing.

The Mac App Store makes sense for subscriptions though. They will always have
access to the latest version so long as the subscription is active, so we
don't have to deal with upgrade pricing there.

For license users though it's not as clear cut. We can either issue a new app
each time but we can't advertise the new version in the old version (rules)
and this will end up with a lot of users not knowing there's a new version
out. Subscription users will also have to upgrade manually each time and
that's not convenient for them at all given they're entitled to that new
version as part of their subscription.

We're trying to make it easy, though it's going to be difficult this time
because we do have to get license users to switch entirely to our direct
download version.

Once this is done though, subscription users can use either or, whichever they
want.

License users will always use our direct download version.

When an upgrade comes out our subscription users will always be upgraded to
the latest version without issues. Our license users will be prompted to
upgrade or be informed of the upgrade in some way.

This is how it should work, unfortunately it was not possible to do this for
the Mac App Store so we had to make changes there. Perhaps things change with
the Mac App Store in the future and we can bring back both, but for now, this
new method we're using provides the best user experience for both sides, once
the switch is made.

I'll be the first to admit I hate removing choice from the equation here, and
I hate that we have to get users to do work in the first place. But sometimes
there are things outside of your ability to control and this is one of them
for us.

Hope that gives some additional insight that wasn't present in the blog post
though.

Kyle

AgileBits

------
serbrech
I've been staying on v4.x to keep the sync to dropbox. I don't want to used
their hosted service. I don't want my master password to transit over the
internet and its hash to be stored in a db, no matter how secure they are.
Centralizing this makes it a target of attack. There is no way a hacker will
try to get my credential unless he targets me personally, and there is little
to no reason for this to happen. It does exactly what I need it to do. I don't
need all the fancy other additional features. :(

~~~
bwoodruff
Your Master Password is never transmitted or stored hashed in a database.
Please check out our security whitepaper.
[http://1pw.ca/whitepaper](http://1pw.ca/whitepaper)

Ben Woodruff

AgileBits

------
indemnity
I thought I'd check out the beta, but what I didn't like about it is that it
didn't even let me know the standalone approach was an option, Before I'd
known what happened it had imported my previous passwords from the standalone
version I had before and uploaded them to my 1Password.com account.

Pretty unhappy about this, I make it sync to iCloud because it's basically the
only cloud provider I somewhat trust.

I do not want a bloody 1Password.com account.

How do I now know they've really deleted my data slurped into 1Password.com?

------
MindTooth
I think for myself that I won't upgrade. The whole process is a mess when
coming from the regular App Store app, and the need to convert, with new apps,
sites, etc. The reason I've always loved 1Password was of the convince of
signing into App Store, download the app, and just open 1Password, enter the
masterpw, and be done with it.

I will miss the iCloud-sync and the convenience on Apple-platforms, but I
seriously believe that a change is forced.

------
Khaine
I'm not sure how the subscription model makes sense for a password manager. In
general, I'm not a fan of the subscription model. I hate the trend towards
subscription. I can imagine a day, when I pay $5 a month for a password
manager, $5 a month for office, $5 for slack, $5 for a to do manager, $5 fr a
mail product, $10 for an internet browser, and after all that having no money
for anything else.

~~~
bwoodruff
Speaking strictly in terms of money... How much would you pay for a license?
$65? So what does that work out to if we release an upgrade every 2 - 2.5
years? About $30 / yr, right? That is about what a subscription costs as well,
but the subscription includes access to the apps on all platforms, as well as
other features not available with a license. For most people, especially
1Password Families customers, the subscription option is going to be less
expensive. This is a reflection of the amount of support required on average
by license customers vs subscription customers.

Ben Woodruff

AgileBits

~~~
Khaine
I understand the logic behind the value of a subscription. Personally, I am
more comfortable 'owning' my software than having a subscription to it.

------
Jemm
At the rate that things in my life are moving to a subscription model, I am
going to need a subscription manager more than a password manager.

------
sigzero
You can still buy a standalone license from the website directly. That's
probably what I will do or I will find something else.

------
jpz
I bought their software. The software stopped working properly and nagged me
to buy a subscription - despite having purchased the full product previously.

I lost my interest in being their customer. They did offer my a 1yr
subscription for free, but by then I had wasted hours trying to get a new
install to work and had lost my goodwill with the product.

------
krautsourced
After using (and loving and having paid for) 1P for years, I moved over to
Enpass a year or so ago. Their clients are not as good as 1P's, but I simply
neither want a subscription based service (what happens if they are bought /
go under), nor do I want my passwords to reside on their servers (encrypted or
not).

------
alceta
As a long time 1password user (at least since 2009), I switched to Bitwarden
late last year and did not regret it.

------
Angostura
Assuming in the Apple ecosystem only, is there any reason to go for this
rather that the in-built Keychain?

------
8ytecoder
Both iOS and Mac App stores need options to allow developers to offer trials
and paid upgrades.

~~~
pier25
And easy refunds.

On Android if you uninstall an app before 2 hours after buying it, you get an
automatic refund.

------
vira28
I couldn't have asked this question at a much better time. Would appreciate
your feedback.
[https://news.ycombinator.com/item?id=17111650](https://news.ycombinator.com/item?id=17111650)

------
stock_toaster
New version of the MacOS desktop app appears to require at least Sierra. Hope
the current version still works with "1Password Families" for a while (as I'm
stuck on El Cap due to older hardware).

------
tomerbd
Why not just use keepassx for Mac with parallel versions on for iOS Android
with cloud sync can someone explain to me? I have everything I need auto
complete control strength etc + it's open source.

------
lemoncucumber
So for the Mac client, the options are to either subscribe or buy a standalone
license directly from AgileBits.

But what is the upgrade path for futures versions of the iOS client if you
choose not to subscribe?

~~~
bwoodruff
1Password for iOS was just upgraded to v7 and was not a paid upgrade (anyone
who had previously purchased received the upgrade free of charge). As for what
the future will bring, having just recently launched v7, it is a bit early to
say.

Ben Woodruff

AgileBits

------
jedisct1
I use Enpass.

$10 once for mobile devices, free everywhere else, can use
Dropbox/iCloud/Google Drive for password storage, no need for any subscription
whatsoever.

And it can seamlessly import 1Password databases.

~~~
czbond
Their approach is interesting; I currently use KeePassX and mobile was a huge
pain. Thank you for posting about Enpass - going to try that out.

------
waterphone
…but they will still be selling individual non-subscription licenses through
their own website, so anyone who wants to avoid a subscription can still do
so.

~~~
rcarmo
Still, this is a trend I will have nothing to do with if at all possible. And
besides subscriptions, version 7 will only sync using their back-end, which is
not acceptable for me.

On one hand, password managers in browsers are becoming nearly good enough to
cover for 80% of my use cases, and most of the other 20% boil down to
convenience (ease of pasting, updating, etc.)

I don't like the idea of being forced to move to a subscription on my Mac and
on iOS for diminishing returns in feature improvements -- and I've been using
1Password for many years now, so the need to finance new features is something
that I understand but have seen little return from.

By all means ensure you can sustain revenue, but beware of inflated
subscription prices.

(I've been keeping tabs on alternatives for a while now, so I will likely not
upgrade to 1Password 7)

~~~
tadasv
What alternatives do you have in mind? I was thinking the same, but haven't
done much research yet. I definitely want to have more control over my
passwords.

~~~
chiefalchemist
I'm not sure what your criteria are but I've been using LastPass (Enterprise)
with 2FA (Yubikey) for a couple years now. Aside from the Yubikey, the key
benefit is I can share a folder with someone using the free version.

It's not cheap but it works and afaik it's secure (esp with the Yubi).

~~~
roustem
1Password Family accounts have support for free guest accounts that can be
used to share information with other people without requiring them to
purchase.

------
mderazon
I never liked 1pass. I don't like the fact that you have to install a desktop
app to use the browser extension. Also the UI is a bit annoying and sometimes
it feels like it just gets in my way. The UX for multiple vaults is not so
obvious at times and you don't realize you are only searching one vault
instead of everything. Copying and sharing between vaults is also annoying.

I really don't see what 1pass does better than LastPass. LP has a bad security
reputation but other than that it's much more enjoyable to use

~~~
roustem
Good news! With 1Password X you can use it without installing the desktop app:

[https://blog.agilebits.com/2017/11/13/1password-x-a-look-
at-...](https://blog.agilebits.com/2017/11/13/1password-x-a-look-at-the-
future-of-1password-in-the-browser/)

~~~
mderazon
Just installed now, much better, thanks

------
stirner
The Mac App Store makes it impossible to charge for software customers have
already paid for? Tragic.

~~~
scarface74
Not impossible, _hackish_.

You can emulate upgrade pricing via bundles.

If you sold V1 for $5.00 and then you want to sell V2 to new customers for
$5.00 but existing customers. You can bundle the two versions for $8.00 and in
the description for V1 you tell them that version 2 is available and don't buy
it. You tell customers that have bought V1 already to get the bundle for $3.

~~~
stirner
That's an interesting workaround. The question I meant to raise was whether a
workaround is justified, or whether software developers should just maintain
the apps they sell.

~~~
scarface74
It depends. If your app can work within the sandbox and it's a one and done
like a game, maybe. The Mac platform changes so slowly you don't have to worry
as much about incompatibility with s new OS as you do iOS.

But if you ever want paid upgrades or you are already a well known app -no.

For instance it wouldn't make any sense for MS or Adobe to be in the Mac App
Store.

------
twodayslate
So if you are on a Family plan now and pay monthly you have to also pay
monthly for the app?

~~~
roustem
No. If you are on a Family plan then all apps and updates are included in the
subscription price.

------
f311a
Can someone clarify? Can I use transfer my appstore non-subscription license?

~~~
bwoodruff
I’m not entirely sure what you’re asking, but 1Password 7 is a separate
purchase, unless you’re using a subscription (then it is included in your
subscription). There is no transfer of licenses from v6 to v7. Does that help?

Ben Woodruff

AgileBits

------
KiDD
Never gonna pay to upgrade again...

------
gaius
Stupid question: what does this do that iCloud Keychain doesn’t do?

~~~
y_molodtsov
iCloud Keychain is pretty good, but it tragically fails in the followings
cases: * Any browser other than Safari. * Apps that MacOS/iOS don't parse for
password fields for some reasons so you can't generate a password right there
— and it's a huge pain to add them manually, practically impossible on iOS. *
Cloud access (if you need your account and don't have any of your devices).
Your Keychain is in the iCloud, but you can't access it from icloud.com

So Apple could easily make it much better but they haven't.

------
intrasight
Could someone chime in with a TL;DR on what this thing does?

