back to article 1Password won't axe private vaults. It'll choke 'em to death instead

The maker of password manager 1Password says it will not force its users to stop using private password vaults – as it sweeps this local storage functionality under the rug. There was growing alarm in the computer security community this week that 1Password local vaults were going to be a thing of the past. Basically, if you …

  1. A Non e-mouse Silver badge

    Bollocks

    "We strongly feel that our 1Password memberships provide a much better experience us a much better revenue stream."

    FTFY

    1. Baldrickk

      Re: Bollocks

      Exactly my thoughts

      it would greatly prefer users opt for the paid membership plan over local storage

    2. joed

      Re: Bollocks

      "Our customers aren't all security researchers and IT professionals. They're college students, retired steel workers, stay-at-home moms and dads, lawyers and everything in between, ignorant and can be easily fooled into accepting defaults" the outfit said.

    3. FuzzyWuzzys
      Thumb Down

      Re: Bollocks

      One reason I stopped using 1Password having used it quite happily for several years. I paid for the prog 3 years ago and now they want people on subs based services AND holding your private password stash on a cloud service. I checked it out and if you upload your local password stack you can't delete it!

      Sorry, I want it locally where I know who is doing what to it. Did a bit of poking about and there's plenty of FOSS password stores on offer for free and which work across multiple platforms with the same DB.

  2. DuncanL

    KeePass

    Get KeePass (http://keepass.info/) instead - available for just about every platform you want and has no cloudy gubbins.

    Just back up your vault to whatever offline\online service you trust. (There's even plugins to do the backups for you - if you want to trust those). The point being you have a choice and control over where the data goes.

    1. Lance the Boil

      Re: KeePass

      If I was looking for a new solution I would use Keepass. But I've already paid for 1Password and the local vault is one of the main reasons.

      And I'm a cloud advocate, but only where it's better.

    2. Anonymous Coward
      Anonymous Coward

      Re: KeePass

      I looked at KeePass when LastPass went cloudy, but it wasn't a starter.

      There's no direct mapping between the Apps, and (worse) you have to learn a new way of doing things for credit card profiles.

      Given the millions of people who said they were ditching LastPass for KeePass, I looked forward to an import tool (as the KeePass community has developed a few for other password managers).

      (checks KeePass website)

      Nope, still have to throw a CSV around as "generic" and then manually patch disparate fields.

      1. Dwarf

        Re: KeePass

        You can already import 1Password .1pif files directly, its been available for a couple of years. Look at the plugins link on the KeePass site at KeePass Plugins

        Want to define a form that you like for credit cards templates, then just add in the KPEntryTemplates plug-in and away you go.

        Its all there and it works really well, local, cloud, PC, iPhone, etc.

        Look at the plugins link and see what you like.

        Make sure you check out the PickChars function - to help with the "enter the 5, 9, 2nd digit type challenges that some sites use.

    3. tony72

      Re: KeePass

      +1. I use KeePass too, and sync the database between my PCs and phones using Resilio Sync, no cloud required. KeePassDroid is effective (if a little aesthetically challenged) on Android.

    4. Jonathan 27

      Re: KeePass

      If you want a local or self-managed vault, an open-source product like KeePass is the only logical option at this point. It's not a matter of if but when will any commercial password locker maker decide that that < 1% of users that don't use their cloud service aren't worth supporting anymore. Companies aren't charities, so they're not going to keep supporting unpopular features, when the other option is so profitable.

      1. Novex

        Re: KeePass

        +1 for KeePass.

        I switched to KeePass from Roboform when Siber System's Android app for Roboform turned out to be cloud only.

        While the move to KeePass wasn't entirely straightforward (as Roboform's export to HTML is crap) once done it's been fine. I do only use it for passwords and safe notes though. I don't use it for filling in credit card details on websites as I prefer to do that manually anyhoo.

        Also, I think most businesses are thinking that all their users can be forced to cloud if they're presented with that as the only option. It's similar to the way Microsoft forced Windows 10 on users, by effectively killing the older systems by not supporting updates on newer processors running older OSes.

    5. Anonymous Coward
      Anonymous Coward

      Re: KeePass

      I've been using SecureSafe for ages because I like their data inheritance model.

      You can set up passwords in your collection to be accessible via another "inheritance" password. If someone uses that, it starts a clock so you can cancel it and regenerate the password, but after the timeout you set (say, a week), the inheritance password then gives access to the passwords you have designated for that.

      It is also cloudy*, but properly done. Their aim is to make money on the document storage part, but using just the password thing is free.

      * But you're not required to use that facility.

    6. Rustbucket

      Re: KeePass

      I use the commercial Sticky Password which does have the option to store to the cloud for syncing, but that is strictly optional and daily usage is from your local store.

      They have published a paper on how they sync and, from memory, your passwords are encrypted with your normal master password and then super-encrypted with the company's own password for cloud storage.

      I'm not crazy though, I keep a parallel password list fully updated in Keepass in case the commercial company turns nasty in some way.

  3. Zog_but_not_the_first
    Facepalm

    Bangs (over people's) heads against a wall

    It must be clear to even the most dunderheaded idiot that the cloud exists largely for the plundering of personal and business data for profit.

    1. D@v3
      Coat

      Re: cloud

      what?

      surely not..!

      I thought all these *free* cloud systems were purely for my convenience.

      (OK, OK, I'm going)

    2. Anonymous Coward
      Anonymous Coward

      Re: Bangs (over people's) heads against a wall

      If I could give you a billion upvotes then I would do so.

      Clouds come and clouds go. They drop wetness on you and they they are gone.

      I see no difference with IT clouds.

      Not everyone on this planet wants to be connected to the Interwebs all the time.

    3. FlamingDeath Silver badge

      Re: Bangs (over people's) heads against a wall

      Did you mean over or other?

      You've confused me

      1. Zog_but_not_the_first
        Unhappy

        Re: Bangs (over people's) heads against a wall

        Other. Typo

  4. thondwe

    Business Model

    Business exists to make money shock! Rental better model for software business than buy outright - simples.

    Business likes cloudy/app stores as they can force users to keep up to date, so only need support one version. If they go "all cloud" they gain a stable platform, no more worries about their app tripping over on a machine full of other apps, missing/incorrect libraries...

  5. Anonymous Coward
    Anonymous Coward

    "that won't happen"

    I think I've heard it somewhere... Then comes the oops moment followed by the "we take our customers' privacy with utmost care, uhm, er.. well, sorry?"

  6. JakeMS
    Facepalm

    Yeah...

    See, this is why I always say use a local application for a password manager. Preferably open source so even if the devs stop working on it, you can make it work for yourself.

    Which is why for years I've been using KeePassX since its first version. Honestly, I just don't trust proprietary and "cloud" password managers, because they do stuff like this.

  7. Anonymous Coward
    Anonymous Coward

    Not for me...

    As just about everything is turning into a subscription model you eventually get to the point of having to prune the number of subscriptions you have because of the cost. $2.99 a month to synchronise about 100kb of data among three devices does not work for me.

  8. SALESMAKERS

    Been there, done that

    I've used 1Password for quite a while and DID struggle with the synchronisation issue. Phone, iPad, Computer and went to their 'subscription' model. What a nightmare. Almost immediately cancelled and went back to the local version - where lo and behold - now works fine. I hope for future users that they opt out and go to the local version and I also hope that 1Password (which is a fine product and seem to be a company that actually cares about their customers) bring back choice. I think they're missing a great deal of potential new business by forcing customers into the cloud (where I've got serious misgivings) and by exposing them to the product 'might' induce them to upgrade. If they force me to the cloud.

    Like most clouds - now you see them, now I'm gone.

    1. FuzzyWuzzys

      Re: Been there, done that

      If you look at the 1Password forums they're getting questions about "Can I do XYZ like the app could?" and the replies are always, "Not yet but in a future release of the online version.".

      1Password seem happy to beta test their online cloud offering to any mugs they can get to sign up to it, then they'll bodge it into shape as they go, pathetic. One reason I refused to to carry on using it and went off and used a FOSS password offering. Shame, as I liked the 1Password apps.

  9. Frank Marsh
    Holmes

    KeePass to LastPass to 1Password

    Now back to KeePass?

    KeePass was great, but I moved to LastPass so the web integration would be more seamless and my wife would hate me less. Then I read in the hallowed pages of El Reg about them getting sold, so I finally paid for 1Password, as some of my friends had suggested.

    1Password is great, and I love the mobile apps. I could even stomach paying them a monthly tax on top of the perpetual license I already bought. But at last check 1Password 6 doesn't support local vaults (forcing me to stay on 1Password 4). This news suggests 1Password 6 won't ever support local vaults.

    Maybe I have to jump back into KeePass and install CKP into Chrome. My wife likes the idea of strong passwords, but doesn't have much patience for copy/paste from an external program.

    1. Hugh McIntyre

      Re: KeePass to LastPass to 1Password

      RE: "But at last check 1Password 6 doesn't support local vaults (forcing me to stay on 1Password 4)."

      Nope, I have iPassword 6.7 here and have always used local vaults.

      The only (main) missing feature with local vaults is that the sync only seems to work to mobile devices, not to other local computers :(. Very unhelpful.

      I have to agree with the complaints about dropping the local vault version -- the fact that legacy 1Password keeps your data entirely on locally controlled systems is a major benefit. I would have recommended 1Password to others except that it seems impossible to get the one-off purchase any more, and who wants to recommend people sign up for yet another subscription?

      1. Frank Marsh

        Re: KeePass to LastPass to 1Password

        My fault - when I said "local vaults," I was specifically referring to Dropbox sync for those local vaults. Yes, my password blob is stored in the cloud, but a hacker would then have to crack my master password if they plucked the vault from Dropbox.

        1Password 6 has actually _removed_ support for Dropbox sync. https://discussions.agilebits.com/discussion/76885/1password-6-does-not-support-local-vaults-atm

        Previously, the vaults were read-only, which was also a non-starter.

        Now I find out 1Password 6 doesn't work with IE. ARGH. You can hate it but it's what many businesses (like mine) use.

  10. lotus49

    I like the cloud but I like to choose my own

    I have been a satisfied customer of 1Password for several years. I am quite happy to store my encrypted credentials in the cloud but not 1Password's cloud. I sync my local vault with another cloud provider that has nothing to do with 1Password.

  11. Anonymous Coward
    Anonymous Coward

    So, how many credit cards do I need now?

    OK, worst case scenario...

    Step 1: Credit card details get leaked by either an online store or malware in a bricks and mortar PoS system.

    Step 2: Cancel credit cards and wait for a new number

    Step 3: Update payment details for all those subscriptions you've got going.

    Step 4: Ooops, you are already locked out of either 1Password or your ISP for non-payment

    Yes, you can alleviate this somewhat by having multiple credit cards, but you need to make your own assessment of which sites data might leak from. Also, in my country, credit cards aren't free.

    1. Nate Amsden

      Re: So, how many credit cards do I need now?

      suggest having at least one credit card account where you can generate virtual credit cards. For me that is Bank of America (Shop safe is the product, I use it all the time, though it does require flash to interact with). I also have other credit cards but it seems that particular capability is far from universal.

      I think my (real) credit cards have been compromised 1 time(MAYBE 2) in the past 3 years at this point. I did have one ShopSafe card compromised, which is odd because only 1 vendor ever got the number(hotel reservation system). Because the original vendor did not charge the number, it was still "open" to be used(the moment it is charged it is locked to that vendor). About 2-3 months later a strange charge showed up from another website that I had never used, it was especially weird because there was only that one charge - normally I would see multiple fraud charges in a short time period. After some investigation I tracked it to the specific virtual credit card I used to reserve the hotel room. The vendor that had charged my card with the fraudulent transaction refunded the money. I sent a message to the hotel chain with the details but never heard back. Bank of America saw no need to cancel my main card since it was only shop safe that was compromised (maybe 7-8 years ago their reps/fraud system wasn't sophisticated enough and they would insist canceling my main card when shop safe was compromised even though there was no need, now they know better).

      Few years ago I had another shop safe card fraud attempt (that was blocked). I used that card to pay my cable tv subscription, I forgot how I got notified of the charge, but once again the only company in the world that number was given to was the cable company, so the breach happened with them or with their processor. They were very apologetic and offered to pay for credit protection(local cable company not a big brand name). I told them don't worry about it there is no harm done.

      so in general for me at least credit card security(whether it is chip and sign or swipe) really hasn't been much of a bother for me in many many years. I would say before 2010 my card(s) would get compromised on at least an annual basis, and it was more of a bother.

    2. Mark 124

      Re: So, how many credit cards do I need now?

      From the 1password FAQs:

      "What happens if my subscription lapses?"

      Don't worry, you will never be locked out of your account or your data. If your subscription ends, your account will be frozen but you will still be able to access, view and export all your data.

      ...So presumably all you need is a working phone with mobile internet, or an internet cafe, or a friend's PC?

  12. FlamingDeath Silver badge

    Why re-invent the wheel?

    Truecrypt + Notepad + a robust backup plan

    Why the need for password managers?

    I do IT I do

    1. Jonathan 27

      Re: Why re-invent the wheel?

      Convenience, password managers autofill websites and keep your passwords (and history) organized as well as generate new random passwords on command. No one NEEDs a password manager, but they do save you time.

    2. coconuthead

      Re: Why re-invent the wheel?

      Done properly, they guard against "look-alike" URL phishing.

      Suppose you meant to go to www.ibank.example.com but instead ended up at www.lbank.example.com. You might not pick this error up when checking the URL bar, because, as is well known, the human brain automatically corrects for this type of error (it's why you can proof for typos and still miss them). If you copy and paste, the impostor web site has your password. But 1Password, at least as I have it configured, does not offer the password in its right-click menu; all you will see is "Generate", because lbank.example.com is not in your vault.

      Not all available password managers get this right, but 1Password is one that does.

  13. J I

    Password Safe

    What's wrong with Password Safe? Free and open source for Windows, and someone does a (non-free) iOS version which I use to access the same password files via Dropbox.

    1. Robert Moore
      Linux

      Re: Password Safe

      Couldn't find an Android version.

      Moved to KeePass.

      It is entirely possible that there is an android version now, but there was not when I was looking.

    2. Anonymous Coward
      Anonymous Coward

      Re: Password Safe

      Yep, Passwdsase, Passwdsync on Android, and scripts to keep everyone in sync on all the clouds out there. A whole lotta smoking holes before I can't access my passwords. Bruce Schneier's work if'n you need an Appeal to Authority.

  14. Anonymous Coward
    Anonymous Coward

    Does everything have to be a subscription?? I really like 1Password. I've been using it for over a decade. It works great. I wish they wouldn't have gone to subscription. Sure, better for revenue, I get it. But they make a great product and I would always purchase the update. To me that's much more reasonable. I just don't want to be locked into paying EVERY MONTH for something that already works just fine.

  15. Anonymous Coward
    Anonymous Coward

    Personal Info Keeper 3.0 on PC and Linux Wine

    I've stuck with this (bought) AES256 encrypted tray program because It supports hierarchical folders of various custom named items, like a filesystem, random/custom-rule password generation/history, with custom sorting; not all supported by other password managers I've seen.

  16. jim249

    That all well and good BUT

    As with all things cloud orientated, it needs Internet access, not always available at Sea and if it is,its expensive

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like