Written byPatrick Howell O'Neill
The popular password management software 1Password is under fire from security experts as the app is moving toward subscription-based cloud storage — and away from the local machine storage — that helped it become popular among the information security community.
Options to create local vaults are hidden in several new versions of the software and the latest Windows 1Password app does not allow local storage password vaults, a stark departure from what has long been one of 1Password’s defining characteristics.
Criticism erupted on social media over the weekend as news spread and several prominent cybersecurity experts roundly came out against the new direction. Much of the damage has been seemingly self-inflicted, as 1Password’s employees and website have offered confusing and at times contradictory guidance about the service’s future.
Infosec experts are calling it a step backward, because it means users risk losing their passwords by storing them in a piece of hardware they do not own.
“You’re basically taking a good product I recommend unhesitatingly and migrating into something I can’t,” Blaze tweeted. “Anything that moves to a model where the user cedes effective ownership and control of their credentials to a third party is bad, bad, bad.”
You’re basically taking a good product I recommend unhesitatingly and migrating into something I can’t.
— matt blaze (@mattblaze) July 10, 2017
“What makes sense for, say, a midsize company or a distributed team is likely not a good fit with consumers or individual professionals,” security researcher Kenneth White told CyberScoop. “Think of a data center team that requires 1Password on a USB drive (with zero access or interest in touching the public Internet) to troubleshoot or do maintenance on data center network gear. They need a local vault. And certainly not one, that either because of end-of-life licensing or some billing snafu, is read-only.”
The company emphasized on Twitter and in statements to CyberScoop, however, that standalone, non-subscription licenses are still available for Mac, iOS and Android users.
Yet even with the statements provided to the public, the messaging has been mixed at best. On the product’s support forums, customers are regularly complaining that it’s become a huge challenge to buy and use the local vault version of 1Password while employees say such a request is now “complicated” and that they “want all new customers to use 1Password.com [subscriptions] as it is simpler to use by default.”
When they do relent, instructions are being emailed privately rather than shared publicly.
Password managers have become a staple for security-savvy individuals and organizations. In the past several years, products like 1Password experienced a meteoric rise in popularity as information security inched closer to the mainstream and experts evangelized the importance of strong and varied passwords.
1Password’s possible move to a cloud-exclusive and monthly subscription model moves it in line with offerings from competitors like Dashlane and LastPass. For some users whose security requirements are more severe, however, a cloud-only option will not suffice.
While noting that subscription and local machine options have technically co-existed for over a year, 1Password developers have repeatedly noted that many users have been immensely confused over the two options, which is driving the company to push the cloud-based subscription model almost exclusively.
1Password’s website now lists only monthly subscription options that require cloud storage. Users trying to pay one-time-fees for licenses have been searching for answers in 1Password’s forums, yet responses from 1Password parent company AgileBits appear to show that it’s a challenge to buy anything other than a subscription membership.
“I can’t predict the future of 1Password,” AgileBits Kate Sebald told CyberScoop, “but I can say that we have no plans to stop supporting standalone vaults at this time nor do we expect folks currently using standalone vaults to sign up for a 1Password membership to continue using 1Password as they have been.”