I'm okay with paying for the Mac update. What I'm not okay with is them disabling Dropbox support in the old iOS program and then making the new version a $18 app. That means I'll need to spend $51.58 ($33.59 for Mac + Windows upgrade plus $17.99 for iOS app) to regain functionality the worked perfectly fine until they crippled the iOS app.
I'm doubting that I'll actually do this because I'm so steamed about the disabling of perfectly working features.
They claim that Dropbox deprecated their existing API, so the software broke on it's own. AgileBits did not disable the integration, upsteam changed.
In the same way that Netscape 4 can't talk to SPDY-only websites, 1Password 3 can't talk to the new dropbox API.
I haven't found the doc from Dropbox that describes an API change on Sept 1 - They did do a V0-V1 change this year, however, and AgileBits' story is plausible.
But the only reason they couldn't update 1Password 3 to the new API is because they pulled it from the store -- in order to force all users to upgrade for $18.
I see your point, and I don't necessarily disagree with you, but if updating 1password 3 to a new dropbox API requires a bunch of dev time, why should it be given out as a free upgrade?
I guess they could have sold yet another version of 1password 3 with the update for a lower fee, but that's confusing. At one point, with the upgrade from v2 to v3, agilebits had something like 4 or 5 versions of 1password in the app store (iphone/ipad/iphone & ipad combined version/v3) and while it offered better value, it was also confusing and off-putting for new customers.
I can't remember - does the iOS app store allow devs to charge for version upgrades? Or do you just have to create an all-new sku?
Their thinking is made clear in this quote, they don't see the lifetime license as a viable business model.
"However, considering that we need to be able to feed our families, it is likely that 1Password 5 will be sold as a separate paid app, like we did for 1Password 4 in the iOS App Store. We just decided to make 1Password 4 for Mac an exception to this."
http://discussions.agilebits.com/discussion/16268/what-shoul...
I don't think they pulled it to force people to upgrade.. I suspect they pulled it because selling multiple versions would be confusing.
It's clearer if there is one app per platform.
Getting my wife to use a password manager is tough enough - Having to explain why there are 14 variations in the store would just add to the burden.
But as to why it was a new version in the first place.. This is Apple's supported answer for paid upgrades. They did the same for Logic Pro X.
I think they do want the paid upgrade however I've gotten free updates to a great program since 2009. I have to agree that they have built an awesome tool that is incredibly easy to use.
It was hard to pull our good friend 1Password 3 from sale, it still exists in the App Store, just not for sale. This allows purchasers to still download it, but it isn't for sale for new users.
One app is much easier than several. We had previously:
* 1Password for iPhone
* 1Password for iPad
* 1Password Pro (the two above as a universal app)
We did this because we released the iPhone app when they provided an SDK, and then the iPad was released but some users just wanted to pay for the iPad version, not the iPhone app again. So, we made it so users could do that, trying to provide a better price point for those users. For new users we stressed Pro for it's universal nature.
But, this was all very confusing. I can't tell you how many emails I answered that were from confused customers asking which one they would buy.
Having three apps was very hard.
This probably isn't the best place for this due to comment threading, but updating 1Password 3 for the newer Dropbox API would've taken a LOT of developer time. We did not use the Dropbox SDK because when we wrote 1Password 3's original code base an SDK did not exist, or if it did come out shortly after it wasn't acceptable for use for a variety of reasons, usually performance related. If I recall our developers correctly via various chats.
And if we did update for the newer Dropbox API then we'd be supporting two platforms (3 and 4) and it's just hard to do. Plus, the much bigger issue was we wanted to move the features of 1Password forward, for example, custom fields and sections. To get this support in 1Password 3 we would've had to have basically rewritten the entire data model and at that point all that's the same from the old app is the interface :)
The even bigger issue for a new app is supporting older platforms. Some devices can't run iOS 6, which 1Password 4 requires. Such as the iPad 1, which many users continue to use and love. If we had updated the app inline, those users would've lost the ability to download a working version if they needed to. This seems to have changed recently, as you can now download the last version to work for a particular iOS release. But this didn't exist last December, or leading up to release for months prior.
Now, hindsight being 20/20, many developers are doing new apps with regard to iOS 7 because it's a cleaner "break" and requiring more significant rewrites and provides a natural point at which to make a new app and charge for it. So, many developers are going through the same thing we did with iOS 6, but they're doing it with iOS 7.
I am upset by this as well. 1Password 4 for iOS didn't seem like a useful enough upgrade to make me pay full price (again). And then since they pulled 1Password 3 from the store, they couldn't update it when Dropbox changed their API.
The new feature in 1Password 4 for Mac that has me interested is shared vaults. Now you can finally use 1Password as a password sharing solution for a business. This has been on my wishlist for years.
Not every version. We've only charged for three upgrades in our history.
1Password 2 for Mac to 1Password 3 for Mac
1Password 3 for Mac to 1Password 4 for Mac
1Password 3 for iOS to 1Password 4 for iOS
So, two of the three updates happened in the last year for the latest release (1Password 4). All other updates were free for existing users.
That's over 4 years between releases with no charges for users who purchased on launch day. Now, not every user purchased on launch day obviously, but I think we've been pretty fair with the upgrades. We go out of our way to try to help users who purchased prior to the new version too. We gave every user who purchased 1Password 3 for iOS a free upgrade to 1Password 4 within a 30 day window from 1Password 4 release.
This is the App Store we're talking about, which doesn't provide a mechanism for giving the app away free (while having it a paid app). Unless you count those 50 app store promo codes you get each release... (that's cost of app + 30% hit from Apple). I don't know of any other company that would do that on the scale we did. We tried VERY hard to give our users the best we could while going to a new app.
I use 1Password so extensively that the money I paid for it always seemed well spent, if not cheap.
1Password 4 is a big leap for me in terms of usability (vs. v.3): the mini application can be quickly accessed via a key chord, similarly to what you can do within a browser. Very helpful for things like VPN access, encrypted HDs, and other non-web softwares.
The security audit is a great feature too: it can tell you where you are using weak passwords, or even repeated passwords. If you have used the same password on many sites, and one of those sites is compromised, you might want to change that password elsewhere, or better, make sure you use a unique strong password everywhere; so knowing what sites could be compromised is a huge help.
If you want to feel safe in the web, 1Password's high usability and new features will help you get there.
In my browsers, 1Password 4 still works less reliably than 1Password 3. Manual completion (I don't use auto competition) sometimes works and sometimes doesn't. In the former case, the user credentials get listed but not inserted. The issues occurs more often in Chrome than in Firefox. It might be just me of course.
In any case, I am already in contact with the great AgileBits support team. AgileBits is one of the companies where your support mails are taken seriously.
If you email me, my name (see sig at bottom) at company url with the email address you used to send your support ticket in I'll personally take a look.
Another enthusiastic customer here. The biggest thing I've gotten out of 1Password is that I've been using it for so long and have integrated it into so many of my computers and devices that I just don't worry about forgetting logins anymore. I know with 98% confidence that I'll be able to find it in 1Password, even if I signed up years ago.
I also use it to store secure account information like bank accounts and CC numbers. Ever needed your credit card or some account number but only had your phone on you? With services like 1Password that's no problem.
I have been using the beta since they started. This is good upgrade that brings a much more polished UI from 1password 3.
The auto-fill functionality seems greatly improved: there are many JS based lightbox or hidden-until-you-click logins that 1pass3 couldnt autofill. 1pass4 just works.
Personally, I see no compelling reason to upgrade. V3 works fine for me, and 99% of the time I'm just using the browser plug-in anyways, not the main app.
It's also a bit disappointing that I had to buy direct to get cross-platform support, which is the reason I chose 1Password, but then that means I have to pay for this upgrade. If I had paid them half the price via the Mac App Store, minus Apple's 30% no less, I would get the upgrade for free. Not sure what they are trying to tell me there.
Sorry to hear you feel it isn't worth the upgrade. I'd suggest trying the demo at least to see if there's anything there worth using. Personally, the new browser extension is amazing and I have a hard time going back to help users in support :)
You didn't have to buy direct to get cross platform support. We offer coupons to users who purchase on the Mac App Store and want to buy our Windows application as well. We match the price at the time of purchase. So, normally the Mac app is $50, we offer the Mac + Win bundle for $70. If you bought at $50 on the Mac App Store, we give a coupon to get the Windows app for the same price as our website bundle. We just need proof of purchase from the Mac App Store.
If you have concerns though, email us, support at company url. Mention me here and someone will add me to the ticket and we can discuss directly. I'll be happy to help however I can.
>You didn't have to buy direct to get cross platform support.
My only suggestion is that you might want to document this somewhere, because I had no idea this was an option at the time I purchased in July 2012, and still don't see it on the store web pages.
You're right, we don't have it anywhere anymore. We did have it when we were using another support system that had a built in KB. Sadly that didn't work out for us and I think that article disappeared along with the tool.
I'll put this on my todo list to see if we can get it handled soon.
That said, if you email us support at company url, maybe I can make it up to you in some way or another. Just mention my name and remind me of this discussion.
I found out about the "CMD + \" just now. I guess it wasn't there before or is that because I never used the browser plugin.
Btw, my upgrade was free at the App Store.
Quick observations;
* Snappy and Fast.
* iCloud Sync will make it easier to sync between Devices - iOS and Mac OS X. Dropbox sync wasn't that great if I don't open the app often. (I hope I don't regret saying this.)
* Finally, "CMD + SHIFT + c" copies password to clipboard. Been asking that for ages.
Is CMD + \ an easily reachable shortcut on American keyboards?
On my Non-American keyboard, CMD + \ equals CMD + Alt + Shift + / …
I have never used the setting so far. The current setting in 1Password on the Mac I am using right now is CMD + S, that does not work of course. I guess I changed it years ago since AgileBits is very unlikely to have chosen CMD + S as shortcut for Non-American keyboards. I changed the shortcut now to CMD + ALT + 7 …
Yup, it's been there for a long time. For at least as long as I've been a user.
We had trouble with 1Password 3 and non-US keyboards, but the new app should be MUCH better at handling non-US keyboard layouts. So change that shortcut however you see fit :)
I just can't promise a t-shirt for your chosen replacement of the shortcut (see our blog.agilebits.com header for this one).
They're "at cost" so we're not making money on the shirts but our users really loved them so we found a way to at least make them available at a reasonable price.
Supported this company with the first version of 1Password. Then paid again for a family version of v3 last year, as well as the paid version for the iPhone which has been somewhat of a let down... now they want more money. All so I can store/use passwords.
I've spent less money on other apps that I actually spend more time using daily. Guess I'll start searching for some alternatives before they start dropping support for v3.
Not sure why you're quoting this. I read this when I visited the page... I just find it ridiculous that if I pay the $24.99 to upgrade, I will have put close to $100 into an app that basically stores passwords for me conveniently.
They can do what they want with their pricing, but I agree. I just don't see the value at the current price points, especially the $18 iOS app. I'd be more inclined to upgrade at around $20 and $10. At $18 and $7 I'd already have pulled the trigger.
It's available as an early beta and pretty promising. Competition is always good and Apple will pushing AgileBits further when they release Mavericks with the iCloud Keychain.
I've been using 1Password for years, and until I saw the picture of everyone in their t-shirts, I had no idea that CMD-\ was the hotkey for the password menu.
Still waiting for seamless Linux integration though. It's one of my killer apps that keeps me on OS X, connecting via ssh to headless Linux machines or VMs, as opposed to using the Linux desktop. And yes, I realize that there are other password managers out there for Linux. The point is that I already have my passwords and many notes in 1Password, and anything I switch to would have to sync with OS X and iOS.
Same here; I had to get a Windows license when I was tired of read-only from the dropbox utility, and then run 1Password for Windows using Wine (and 1Password for windows is a massively inferior experience.) I'm surprised they don't put more effort into improving the Windows app instead of releasing v4 on top of an already pretty good v3, even if they don't feel it's the right time to release a Linux version.
Noted. We can't promise Linux support. It's hard to provide paid software on Linux and be able to pay for the development and technical support. The user base is tricky, many are used to free software via their favorite package manager. Serious professionals are likely to pay I think, but how many of those are there?
We'd love to support Linux in some way, and we just hired a guy who primarily works in Linux. We never say never, but we certainly can't promise Linux support. All that said, I'll pass your feedback along :)
I'd agree, I want our Windows application to get a make over and try to gain feature parity with our Mac app. We're a very small team though so focus tends to be on Mac and iOS since that's where a vast majority of our user base is. That's not to say we don't want the other platforms to be better. Example: We're working on a brand new Android application that should blend both our look and feel with Android's look and feel.
We'll get the Windows application there, just give it some time. :)
Hmm, 1Password always seemed like an overly-complicated (though polished) solution to a basic problem to me.
Personally, I just use a variant of:
one-way-hash(master-password + site-domain)
Seems to work really well, doesn't require special software, allows me to replicate all my passwords on any computer, and passwords are unique to each website and seemingly-random. Use a strong master password and it seems like an ideal solution to me and you only have to remember one master password and use no special software.* For extra security, perhaps base85-encode the output and truncate it if you want a password with special characters in, and use a slower function (e.g. bcrypt with a high work factor?) to prevent brute force attacks if you're using a simple password.
[* Note, SuperGenPass basically does just this, but has security issues since it runs as JavaScript in the browser as a bookmarklet. My personal solution is a script which does something similar, run using a quick hot-key, that grabs the domain from my front-most web browser window and grabs my master password from the system keychain and then puts the generated password on my clipboard.]
Would be very grateful if someone could point out any security flaws in this method that haven't occurred to me!
One domain flaw: dropbox.com used to be getdropbox.com and probably others. Unless you remember and/or changed your password when that happened, it might now be unrecoverable.
One password flaw: some sites have weird restrictions (probably your bank, for instance). A hashing solution is unlikely to meet those requirements, meaning you have to store the value securely somewhere, so why not store them all? On the other hand, if the output can meet the requirements, it's probably partly based on the requirements. If the requirements ever change, your password now doesn't match.
I know I've thought of others previously, but the short version of it all is that at some point you'll probably have to have secure storage for something that doesn't work with the hashing system you have. Once you have that secure storage, why not just use it instead, since it can resolve nearly all of the problems?
Anecdotally, the "one domain flaw" has only ever happened for me for two websites over long time I've been using this system: getdropbox.com and amazon.com (using international amazon sites). Worst case scenario, you can request a password reset if the domain changes, because it's not the sort of thing that happens often.
The "one password flaw" has never been an issue, but my bank uses proper two-factor authentication with a physical card-reading device, so maybe that's why... I've never actually encountered a website that places problematic restrictions on passwords except (weirdly) Microsoft.
But they're just personal anecdotes that those flaws haven't been an issue for me, but I agree they exist and could be show-stoppers for others. I certainly wouldn't recommend it to anyone non-tech-literate. If I did need secure storage outside of that system (which, you're right, does happen–mostly for wifi passwords and the like) then I just use the system keychain as intended.
But I do still have concerns about the overall security of the system simply because I don't understand it well enough...
> Once you have that secure storage, why not just use it instead, since it can resolve nearly all of the problems?
Because I don't want to pay for 1Password licenses, or be caught out if I'm using someone else's computer, or if all my backups catastrophically fail :)
Use any Google properties? Google.com and youtube.com (can) use the same password across two domains. I think there are others within google too. Or do they redirect to google.com for all logins? Meh. Like you said, it's a rare problem.
Thought of another problem: when you're forced to change your password. How do you encode that? Just add a version-N marker to the site name (which you have to remember)?
I'm not trying to sell you on 1Password, just point out problems with hash-only approaches :) And the storage-less nature is certainly a (big) plus when it works out, you're right.
--
And one possibly-significant danger you should be aware of: assuming you do something simple (which has the advantage of being buildable from scratch on any system, and easy to remember how), if your password is not globally unique then your security partly relies on the security of whoever else uses your password. If they lose it, anyone who knows that and guesses your username anywhere gets proof that you use the same password, so they can go test a bajillion sites immediately and with perfect success rates.
The standard technique for mitigating this is to salt the hash... but this is just another secret you have to store somewhere or memorize, so we're back where we started.
As long as by one-way-hash you actually mean "key derivation function" and not actually hash, otherwise one leaked password means I get your master password, and hence all of your passwords, as long as your master password has an impossibly huge amount of entropy. (It probably doesn't.)
Seriously, use cryptographically random passwords.
SuperGenPass uses MD5 or SHA512 (so they do use hashes). Personally, I use bcrypt with a cryptographically random and long master password, which is something at least.
I appreciate the input and advice anyway. Security being a system of compromises, my current stance is that the security offered by a system like this, despite its flaws, is greater than a password database system (with truly random passwords) because then both I need to keep the database physically secure and trust that e.g. 1Password have designed it properly (or that my cloud provider is capable of keeping it secure). Since 1Password has apparently had potential issues in the past I don't have too much faith, but perhaps I'm being overly cynical.
Comments like yours and Groxx's help me re-evalute what I'm doing though, so maybe I will switch to proper random passwords in future. So thanks again for the input!
I didn't say anything about any particular system. Using MD5 or SHA-512 doesn't have to be bad per se -- using them once is bad.
Also, you mention having to keep it physically secure. I don't think that's true; you can use anything you want to encrypt it, from passwords to smart cards to whatever.
You mention you have a long and cryptographically random password. I'm guessing (hoping?) that it consists of a bunch of words that are easier to remember, since humans are pretty bad at remembering things with sufficient entropy to count, particularly if they come in the form of unintelligible junk :)
It's very kind of you to respond! I would certainly never trust it to share with someone else :) but I'm perfectly happy to accept the risk myself.
But it's not just me using a system like this. Everyone using SuperGenPass is using something similar too. That's why I think it's important to talk about it more.
I find it all very interesting so I try to learn where I can, but I leave the security stuff to our resident Chief Defender Against the Dark Arts (Jeff in the blog post). He's the guy who understands all of the security implications. He talks and I listen and try to absorb everything I can.
I figured that article was at least worth mentioning here.
I'd be interested in peeping your script just as a blueprint of how to set something like this up for myself. I'll likely end up ponying up for 1Password v4 anyway, but I fantasize about going lower-fi/simpler all the time, and this seems like a nice step in that direction. Are you doing this on OS X?
Yep. Doing this on OS X and launching it via Alfred. I'd rather not share the script solely because I don't want to be responsible for some bug or bad idea that could cause you or anybody else problems.
However, I can share some inspiration to get started:
I took that script as inspiration, modified it to use bcrypt, and then used the Python "keyring" module for access to the OS X keychain, and calling "osascript" to use an AppleScript one-liner to get Safari's front-most URL as an input.
It does potentially have the side-benefit of protecting against phishing attacks too, since if the domain is different, the password is different, so you can't be fooled into giving your password to the wrong website.
Maybe they can make a decent Android version one of these days. If they had a good Android version, I'd update to v4 for OSX in a heartbeat. I own an OSX license for v3, a Windows license for v3 (or whatever its at right now), and iOS licenses for iPad and iPhone - even though I don't have an iPhone or iPad anymore. I have a big investment in this program, but their slipshod Android version has me re-evaluating this investment.
Are there any good alternatives to 1Password? I need OSX, Windows, and Android versions, and it needs to work in Chrome and Safari. I'd also need synchronization between multiple machines/browsers. I'm not sure what I think of a web version like LastPass - my 1Password keychain is in my dropbox, so it's not like I have it locked-away and protected. But it still feels a bit odd to have my passwords in a single service like LastPass - for some reason I have more confidence in Dropbox's security than LastPass's.
Yeah, they claim it's in the works, but I think that's been true for over a year now. Maybe soon? An app like this shouldn't take a year to make, especially since the current version is so incredibly bad. Some improvement sooner would be preferable, I think.
I have yet to find any alternative that is even remotely as user-friendly. LastPass does legitimately seem to be well run and secure, but the browser-extension UI is horrible at omg levels. KeePass(X/etc) also looks decent, but it's .NET (for what appear to be good reasons, but still), has slightly scary code (lots of reimplementing builtin classes), and again, omg-horrible UI.
I'd love a reasonable alternative, 1Password is unfortunately getting too pricy as time goes on, though it has been hands-down the best.
We are indeed working on a full Android application. We'll admit, it has taken longer than we wanted. We're getting closer so hang in there and if you're really interested in testing it, ping us at support at company url and mention me. I'll see if I can add you to the list of testers when we get to that point.
I think my message was a bit confused there. I have all of my versions of 1password - OSX, Windows, and Android - syncing together on dropbox. I was anticipating that someone would recommend LastPass as an alternative that can be used on multiple devices. The point that I was making was that I trust the security surrounding my dropbox more than I trust LastPass's security - although I don't really know whether that's reasonable/rational.
> Is there a management interface for saved passwords or is it just the plain old Keychain Access utility?
> All this "iCloud Keychain" hype looks like just a sync functionality on top of current implementation.
There's Keychain Access and a preference pane in Safari for web passwords. It is exactly a sync feature added to the keychain implementation that exists in Mountain Lion and earlier.
Yes, Apple's functionality seems best for casual users (ie, my parents) who generally only use safari on their ipads and mac.
iCloud Keychain is a better experience on iOS because only Apple can extend Safari - If you're using 1Password on iOS, you can't do the equivalent of "CMD+\" - you have to use the launch the 1P app - which breaks the workflow.
I don't see me moving away from 1Password anytime soon - though the ability to have multiple agile keychains in a single 1P session would have me pulling out my wallet - been waiting for that for awhile.
Good point and that is probably the reason for releasing 1Password 4 now. I have paid for 1Password for too many times and I'm jumping off the wagon now.
I have purchased 1Password 3 in 2010. So I used it three years without any upgrade costs. For an application that I use everyday, it's certainly worth $25. Although, the pricing is steep for other reasons: I have recommended many non-techies to use 1Password, but they would never spend $50 on a password manager.
I won't purchase the upgrade to 4 immediately. 1Password 3 is still working fine. Shared vaults look to be a nice feature, but other than that I don't think I need any of the changes.
Besides that, I'd like to see how good the iCloud Keychain will work in Mavericks/iOS (although it is not a cross-platform solution, Agilebits' Windows and Windows Phone apps haven't been stellar either).
Ooh, the beautiful, lovely, shiny new "Security Audit" tab! It shows all of my re-used passwords, which passwords are weak (even "Terrible", as it not-so-subtly puts it), and which ones I haven't changed in years.
I've already added "perform 1Password security audit" to my monthly to-do list.
Windows and Android functionality. I use a Windows computer for some limited amount of things, and it's invaluable for me. Also, if you use Dropbox syncing, the Dropbox folder has some javascript magic that makes it work as a web app (decryption happens client-side).
On the other hand, the new keychain access will have direct Mobile Safari integration.
Wow, just YESTERDAY I was thinking... its disappointing I hardly get any updates for 1Password 3 :( I checked the changelog and everything. I havent even thought about this in MONTHS/years and suddenly the very next day 1Password 4 is announced. Amazing
Multiple shared vaults each with their own sync and location sounds like a godsend. I've been considering switching to LastPass Enterprise for work, but the sharing there is awfully convoluted.
I will probably switch soon given the current state of their Android app, but maybe this OSX update is a hint at a visual refresh for all of their products?
I hear that there will be more than a visual refresh of the Android app (it will fully participate in the 1Password ecosystem for update and read, less iCloud support)—but it will be released when it’s ready.
Does anyone have suggestions for what I can use, as a linux desktop user? The best thing anyone has told me, so far, is Keepass, which has an interface I don't like very much.
I don't really see the point of having 1Password on anything but your phone (unless you don't have a smart phone).
It seems like the most secure way to use it, assuming you've enabled back ups in 1Password to iCloud or DropBox.
Whenever I need a password I just grab my phone and look it up, then type it in. Sure, I have to manually type passwords, and my randomized passwords all have a minimum 18 character length, so it takes a bit longer. It's a plus though, because over time I memorize my passwords through repetition. If you have the program on a desktop and it just copies/pastes your password, you'll never memorize it.
Passwords are a terrible security tool - In many cases they are easier for computers to guess then they are for people to remember.
For me, not-memorizing it is the whole point of 1Password.
1Password lets me generate and store passwords which are MUCH longer/more random than normal people can memorize.
I store them on my PC, and lock/unlock them with a strong master password - They're synced via local network to my phone, and never travel outside my network. Where possible, accounts are additionally secured via 2-factor auth.
This seems like a much better solution than variations on song-lyrics, cat names, 'P4zzw0Rd', which is the 'standard' solution to passwords.
FWIW, passwords are something I'd consider a 'hair on fire' problem. The current solutions are very very broken.
Serious? All my passwords are randomized with their generator. There's an extension for every browser. So any time I need to login to a site I hit Cmd + \ and it auto fills and logs me in. Fuck typing and remembering passwords.
I guess I just don't want to install plug-ins on every browser/computer I use, since I have a lot. Plus work, library, friends' computers, etc. Memorization comes in handy at that point. As for typing, it's not like typing in even a 18+ character password is that slow.
With iCloud sync now, all you need to memorize is your Apple ID password (to install 1Password from the App Store and have it sync from iCloud) and your 1Password password and you can bootstrap your whole password database onto every computer you own. Typing 20-30 character randomized strings is something I try to avoid. What a pain in the ass.
In exchange for not memorizing my passwords, I get different, random passwords for every site I use. Given likely attack vectors, I have seriously upgraded the security of my data. Add to this the syncing and the ease in my workflow, and I'll never, ever go back.
Passwords are terrible. 1Password and related software make having to live with them significantly less terrible.
They are referring to AgileBits customers on the Mac App Store. So anyone who previously purchased 1Password on the Mac App Store. Apple doesn't offer upgrade pricing, so it would make sense that the upgrade is free. Most likely AgileBits calls that fact out due to past issues with the iOS App Store where they took down the old app and created a new one so they could charge an upgrade fee.
I'm doubting that I'll actually do this because I'm so steamed about the disabling of perfectly working features.