DPP's Blog

Migrate off 1Password March 19, 2017

AgileBits is not a trustworthy company

I have been an AgileBits/1Password customer for 4+ years. I support small companies that have laser focus and excellence... which is what AgileBits seemed to be.

However, I've had a lurking concern that a proprietary software company secures my most guarded secrets with closed source software. Recently, AgileBits has demonstrated that they are not a trustworthy company.

I will tell you the story. I am also moving off 1Password and recommend that if you're a 1Password user that you seriously consider moving to another password manager.

The Backstory

I use 1Password on my Mac. I use 1Password on Windows (the latest version). I use 1Password on Linux (version 4 because Wine won't run the latest 1Password 6).

I have always used a local vault with 1Password and I sync the local vault via Git/SSH on a server I own and control. No Dropbox. No easy access to a third party and no accidental way for my password vault to show up in a mass breach. Yes, if someone wants to target me, they will likely obtain my information, but absent a targeted attack, I feel safe.

I installed 1Password 6, build 333 on a Windows box a few months ago. It worked fine and let me access my local vault. Yay!

When I went to install 1Password 6, build 377 on my newest Windows box, I was unable to access my local vault. I took to Twitter to ask the AgileBits folks what was up.

They claimed that 1Password 6 is and always has been a cloud-only offering. This is not true. I pushed on it and AgileBits doubled down on this lie (and yes, I use the word "lie" with full understanding that it requires the intent to deceive.)

What's the Issue?

Over the last year, AgileBits has migrated its business model from one-time software sales to a monthly subscription model with their cloud offering.

The migration makes perfect sense from a revenue and competitive perspective.

From a revenue perspective, the $100 +/- I've paid AgileBits for the software is not optimal to keep a team fixing and improving software. I paid once, but I expect updates and fixes. Lots of companies are moving to a subscription model and it makes sense to align revenue with costs.

From a competitive perspective, LastPass is eating 1Password's lunch and as password management because organizational secrets management, a cloud offering makes a ton of sense.

I applaud both the migration to subscription and a move to the cloud.

Except, I'm not going to store my password vault in another company's cloud until I've seen how the company handles a breach.

So, I want to continue to use 1Password, manage my own vault on my own server, and wait to see how their cloud offering evolves.

But... they are forcing people to the cloud and not being honest about this direction.

And if a company that has code that is proprietary and houses my most important secrets is going to be anything other than totally honest about changes, I cannot trust them and cannot use their software.

When a support representative makes repeated false (and demonstrably false) claims in furtherance of the company's current agenda, that's a lie.

Trying to be calm

After a calmer (and smarter?) person, @diligiant,tried to calm me down, I decided to reach out to AgileBits privately to figure out if the Twitter support person was just mistaken and didn't really understand the gravity of situation.

So, I wrote a direct letter to the AgileBits folks to see if they would be honest:

Folks,

I've been a 1Password customer for more than 4 years.

When I was VP Engineering at kiva.org, I advocated for Kiva to move from LastPass to 1Password. I have been more than a user and a customer... I've been a fan. I've even written about how to run 1Password on Linux: https://blog.goodstuff.im/1password

But on Tuesday, I downloaded Build 377 for Windows to install on a new Win10 machine. I looked for the "advanced options" selection so I could use 1Password 6 with my own managed vault rather than using 1Password's cloud. I could not find the option. So... I tweeted:

Looks like @1Password is forcing people to their cloud offering… anyone have a cross platform password Mgr they love? https://twitter.com/dpp/status/842464449894080513

I got a response from @1password:

@paddytanguy @dpp @ashleymcnamara 1Password 4 continues to work without an account, as always. Version 6 has always required an account. https://twitter.com/1Password/status/842146224379727873

This is a lie. And I mean this with the full reading of the New York Times' discuss of what a lie is: https://www.nytimes.com/2017/01/25/business/media/donald-trump-lie-media.html

As of build 333, there was an advanced option to use my own vault. What's worse, as of LAST NIGHT, there was a mention on 1password.com of using DropBox and other mechanisms for syncing vaults. As of this morning, that mention is gone. However, on your support site, there's still the option of using 1P 6 with DropBox: https://support.1password.com/sync-with-dropbox/

Here's the "alt-facts" attempt at a walk-back:

@dpp there’s no lie in saying that 1Password 6 for Windows has always required an account to work fully. https://twitter.com/1Password/status/842453820290527232

I am a huge fan of companies making money. I want the companies that supply me to be in business. I am happy to pay money for software, hardware, services, etc.

I am also a fan of open source and a decade into the https://liftweb.net project, I sympathize with companies trying to do open source and make money. So, I understand why AgileBits is not open source.

But closed source security software scares me because there's no way for me or others to audit the code... the code that stores my most sensitive information. So I have to trust the vendor.

Large vendors like Apple, Google, and Microsoft have certain pressures on them to generally do the right thing. I don't feel great about trusting them, but they are not going to give up my information except to another entity as large as they are. They do care about security against non-governmental attacks. And Google is especially good at dealing with targeted and semi-targeted attacks.

When your representative lies... not simply spins... but makes a statement that "we've always been at war with Eastasia"/"1P 6 on Windows has always required a cloud account", it calls into question AgileBits' ethics and once a small, proprietary vendor's ethics are called into question, I tend to avoid that vendor.

I had originally intended to write this as a blog post, but I appreciate the quality of product that has been 1Password and I appreciate AgileBits' blog posts on security.

So, if AgileBits is going to a cloud-only model, please be totally transparent that AgileBits will at some point phase out support for personally managed vaults and AgileBits will at some point phase out support for 1P 4 for Windows. When I say, "please be totally transparent" I mean "write a blog post and link to it from your home page." And also, please specify how AgileBits will manage security for its cloud offering... and yes, security for cloud is radically different than security for desktop.

If AgileBits just wants recurring revenue from me, I'm down with that. But, I want to manage my own vaults. I will pay periodically for the right to manage my own vaults.

Please let me know what the story is by March 24th. Please be honest (and that likely means escalating this note beyond customer service/sales). Any further lying or attempts to spin will result in this message becoming a blog post and a warning to avoid AgileBits because of the ethical issues related to a small, proprietary security vendor.

Thanks,

David

AgileBits does a Kellyanne Conway and doubles-down on a lie, AGAIN

Hi David,

Thanks for taking the time to write in, and for your patience.

I'm certainly sorry for any confusion, and for the obvious frustration we've caused.

But on Tuesday, I downloaded Build 377 for Windows to install on a new Win10 machine. I looked for the "advanced options" selection so I could use 1Password 6 with my own managed vault rather than using 1Password's cloud.

1Password 6 was initially created and released for use with 1Password for Teams, and isn't considered to be an "upgrade" to 1Password 4. 1Password 4 is the current version for use with the standalone license, and allows you to continue syncing your locally-stored data with Dropbox. 1Password 6 is intended for use with 1Password Membership accounts, whether that be the Individual account, the Family account, or the Teams account. This is also why when you tried to go to "advanced options" section, you didn't see mention of syncing via Dropbox, iCloud, or WLAN server sync. With 1Password 6, your data gets synced across our secure servers, so there is no option to sync via Dropbox.

Whenever you see mention of syncing with Dropbox on our support site, that is in reference to the older standalone license model, and using 1Password 4. That being said, we do allow you to connect to your Dropbox-synced vault in 1Password 6 for Windows, but only in read-only mode so that you can easily transfer your data from your Dropbox account into your 1Password Membership account.

So, with 1Password 4, you can actively sync your locally-stored data with Dropbox, as you always have in the past. With 1Password 6, which is intended for use with our subscription-based Membership accounts, you can still access the 1Password data stored in your Dropbox account, but you can't create and sync new data that way. Instead, the data in Dropbox is in read-only mode, with the assumption that you're just accessing it in order to move it from Dropbox into your 1Password Membership account.

I can absolutely see how this is not nearly as clear as it should be, and I sincerely apologize for that.

But closed source security software scares me because there's no way for me or others to audit the code... the code that stores my most sensitive information. So I have to trust the vendor.

For 1Password.com web service, we rely on two separate keys that that are never transmitted to us in any way or shape, your master password and your secret account key. You can find out more here (https://support.1password.com/secret-key-security/) and our technical security whitepaper (https://1password.com/files/1Password%20for%20Teams%20White%20Paper.pdf). With that, the next is the implementation, 1Password.com has been security-audited by three separate companies as shown on our list here (https://support.1password.com/security-assessments/). Even if you don't trust our implementation, I would encourage giving the technical security whitepaper a read, just to see what we're doing, even if you have no plans to ever use it.

So, if AgileBits is going to a cloud-only model, please be totally transparent that AgileBits will at some point phase out support for personally managed vaults and AgileBits will at some point phase out support for 1P 4 for Windows.

Just to be absolutely clear, we still support 1Password 4 for Windows. We also still sell the standalone license for existing users, or for those who specifically request it. Just because we're currently super excited about our Membership service doesn't mean we've abandoned support for the standalone model. We understand that the standalone license fits some use cases that the Membership may not, as far as local storage and syncing manually with your preferred method. We have no plans to stop supporting 1Password 4 for Windows, or our customers who have standalone licenses.

We don't plan to "phase out" support for our older versions. For example, we're currently on 1Password 6 for Mac, and yet still support 1Password 3. We also had a product, Knox, that while we no longer sell or develop it, we still offer support. You are not required to move over to our Membership service if you're happy with the standalone license set up. However, you will need to use 1Password 4 for Windows if you're wanting to continue syncing with Dropbox, rather than moving your data from Dropbox to a Membership account.

The support articles referring to Dropbox sync for Windows are referring to 1Password 4. While you can access your 1Password data in Dropbox with 1Password 6, it's only in read-only mode for purposes of moving it. For active use of Dropbox sync, you'd still need to use 1Password 4 for Windows.

Again, I'm very sorry for the confusion, and I'm particularly sorry that you feel like we've lied. That was never our intention, as I mentioned we absolutely still support standalone licenses, but even in trying to explain the Dropbox issue here, I struggle to find the right words, so I can see why the answer you received on Twitter could be seen as misleading. That wasn't our intention either, but the bottom line is that for those using the standalone license model, or trying to use 1Password with Linux, 1Password 4 is the version that will allow you to sync with Dropbox, and manage your data, whereas 1Password 6 for Windows is intended for use with the Membership service.

Please let me know if I haven't addressed your concerns and I'll be happy to give it another shot.

Kind regards,

Tra AgileBits Support

What's wrong with this response?

AgileBits' web site, at the time of the rep's response, claimed that the user controls the location of their vault and "sync it yourself" was an option at the time that the rep told me that 1Password 6 is cloud-only.

So, either AgileBits web site is wrong or the rep is wrong.

Until AgileBits removed the "choose your own local vault" UI option (between builds 333 and 377), the above statements were true for 1Password 6 and 1Password 4 for Windows. Further, upgrading a build 333 with local vault only to version 377 allows me to continue to use my local vault.

So, at some point AgileBits decided to force people to their cloud offering and continues to tell their customer service reps to lie about it.

Further, there's no commitment to continue to support 1Password 4. The response is "trust us!" But, I don't trust a vendor that has its customer service reps lie and double down on those lies even when the truth (1Password 6 worked with local vaults until very recently) is demonstrated as false.

Why you should move away from AgileBits

AgilesBits is changing revenue and business models. This is great. Vendors should make business choices that allow them to stay in business and service their customer base.

But, AgileBits forcing people into their new revenue model by removing UI access to features that already exist in the product is somewhat shady.

What's worse, AgileBits is lying about the changes to their product.

So, what's the next revenue model that AgileBits adopts? Putting backdoors into their products? Turing a blind eye for $ to a vulnerability that some non-governmental agency is exploiting?

AgileBits will drop support for 1Password 4 as soon as AgileBits' contractual obligations to large customers ends. When is that? I don't want to find out the hard way.

AgileBits will continue to make changes to their software that forces users to AgileBits' cloud... including changes to Mac, iOS, and Android versions.

When a security vendor lies and sanctions their support people's lies, you have to move away from that security vendor.

I am moving to a new password management vendor this week.

If you're a 1Password user, please think about when you're going to move.

If you're considering 1Password or AgileBits' cloud offering, ask "do I want to put my company's secrets with a vendor that is dishonest?"