"We strongly feel that our 1Password memberships provide
a much better experience us a much better revenue stream."
The maker of password manager 1Password says it will not force its users to stop using private password vaults – as it sweeps this local storage functionality under the rug. There was growing alarm in the computer security community this week that 1Password local vaults were going to be a thing of the past. Basically, if you …
One reason I stopped using 1Password having used it quite happily for several years. I paid for the prog 3 years ago and now they want people on subs based services AND holding your private password stash on a cloud service. I checked it out and if you upload your local password stack you can't delete it!
Sorry, I want it locally where I know who is doing what to it. Did a bit of poking about and there's plenty of FOSS password stores on offer for free and which work across multiple platforms with the same DB.
Get KeePass (http://keepass.info/) instead - available for just about every platform you want and has no cloudy gubbins.
Just back up your vault to whatever offline\online service you trust. (There's even plugins to do the backups for you - if you want to trust those). The point being you have a choice and control over where the data goes.
I looked at KeePass when LastPass went cloudy, but it wasn't a starter.
There's no direct mapping between the Apps, and (worse) you have to learn a new way of doing things for credit card profiles.
Given the millions of people who said they were ditching LastPass for KeePass, I looked forward to an import tool (as the KeePass community has developed a few for other password managers).
(checks KeePass website)
Nope, still have to throw a CSV around as "generic" and then manually patch disparate fields.
You can already import 1Password .1pif files directly, its been available for a couple of years. Look at the plugins link on the KeePass site at KeePass Plugins
Want to define a form that you like for credit cards templates, then just add in the KPEntryTemplates plug-in and away you go.
Its all there and it works really well, local, cloud, PC, iPhone, etc.
Look at the plugins link and see what you like.
Make sure you check out the PickChars function - to help with the "enter the 5, 9, 2nd digit type challenges that some sites use.
If you want a local or self-managed vault, an open-source product like KeePass is the only logical option at this point. It's not a matter of if but when will any commercial password locker maker decide that that < 1% of users that don't use their cloud service aren't worth supporting anymore. Companies aren't charities, so they're not going to keep supporting unpopular features, when the other option is so profitable.
+1 for KeePass.
I switched to KeePass from Roboform when Siber System's Android app for Roboform turned out to be cloud only.
While the move to KeePass wasn't entirely straightforward (as Roboform's export to HTML is crap) once done it's been fine. I do only use it for passwords and safe notes though. I don't use it for filling in credit card details on websites as I prefer to do that manually anyhoo.
Also, I think most businesses are thinking that all their users can be forced to cloud if they're presented with that as the only option. It's similar to the way Microsoft forced Windows 10 on users, by effectively killing the older systems by not supporting updates on newer processors running older OSes.
I've been using SecureSafe for ages because I like their data inheritance model.
You can set up passwords in your collection to be accessible via another "inheritance" password. If someone uses that, it starts a clock so you can cancel it and regenerate the password, but after the timeout you set (say, a week), the inheritance password then gives access to the passwords you have designated for that.
It is also cloudy*, but properly done. Their aim is to make money on the document storage part, but using just the password thing is free.
* But you're not required to use that facility.
I use the commercial Sticky Password which does have the option to store to the cloud for syncing, but that is strictly optional and daily usage is from your local store.
They have published a paper on how they sync and, from memory, your passwords are encrypted with your normal master password and then super-encrypted with the company's own password for cloud storage.
I'm not crazy though, I keep a parallel password list fully updated in Keepass in case the commercial company turns nasty in some way.
If I could give you a billion upvotes then I would do so.
Clouds come and clouds go. They drop wetness on you and they they are gone.
I see no difference with IT clouds.
Not everyone on this planet wants to be connected to the Interwebs all the time.
Business exists to make money shock! Rental better model for software business than buy outright - simples.
Business likes cloudy/app stores as they can force users to keep up to date, so only need support one version. If they go "all cloud" they gain a stable platform, no more worries about their app tripping over on a machine full of other apps, missing/incorrect libraries...
See, this is why I always say use a local application for a password manager. Preferably open source so even if the devs stop working on it, you can make it work for yourself.
Which is why for years I've been using KeePassX since its first version. Honestly, I just don't trust proprietary and "cloud" password managers, because they do stuff like this.
I've used 1Password for quite a while and DID struggle with the synchronisation issue. Phone, iPad, Computer and went to their 'subscription' model. What a nightmare. Almost immediately cancelled and went back to the local version - where lo and behold - now works fine. I hope for future users that they opt out and go to the local version and I also hope that 1Password (which is a fine product and seem to be a company that actually cares about their customers) bring back choice. I think they're missing a great deal of potential new business by forcing customers into the cloud (where I've got serious misgivings) and by exposing them to the product 'might' induce them to upgrade. If they force me to the cloud.
Like most clouds - now you see them, now I'm gone.
If you look at the 1Password forums they're getting questions about "Can I do XYZ like the app could?" and the replies are always, "Not yet but in a future release of the online version.".
1Password seem happy to beta test their online cloud offering to any mugs they can get to sign up to it, then they'll bodge it into shape as they go, pathetic. One reason I refused to to carry on using it and went off and used a FOSS password offering. Shame, as I liked the 1Password apps.
Now back to KeePass?
KeePass was great, but I moved to LastPass so the web integration would be more seamless and my wife would hate me less. Then I read in the hallowed pages of El Reg about them getting sold, so I finally paid for 1Password, as some of my friends had suggested.
1Password is great, and I love the mobile apps. I could even stomach paying them a monthly tax on top of the perpetual license I already bought. But at last check 1Password 6 doesn't support local vaults (forcing me to stay on 1Password 4). This news suggests 1Password 6 won't ever support local vaults.
Maybe I have to jump back into KeePass and install CKP into Chrome. My wife likes the idea of strong passwords, but doesn't have much patience for copy/paste from an external program.
RE: "But at last check 1Password 6 doesn't support local vaults (forcing me to stay on 1Password 4)."
Nope, I have iPassword 6.7 here and have always used local vaults.
The only (main) missing feature with local vaults is that the sync only seems to work to mobile devices, not to other local computers :(. Very unhelpful.
I have to agree with the complaints about dropping the local vault version -- the fact that legacy 1Password keeps your data entirely on locally controlled systems is a major benefit. I would have recommended 1Password to others except that it seems impossible to get the one-off purchase any more, and who wants to recommend people sign up for yet another subscription?
My fault - when I said "local vaults," I was specifically referring to Dropbox sync for those local vaults. Yes, my password blob is stored in the cloud, but a hacker would then have to crack my master password if they plucked the vault from Dropbox.
1Password 6 has actually _removed_ support for Dropbox sync. https://discussions.agilebits.com/discussion/76885/1password-6-does-not-support-local-vaults-atm
Previously, the vaults were read-only, which was also a non-starter.
Now I find out 1Password 6 doesn't work with IE. ARGH. You can hate it but it's what many businesses (like mine) use.
OK, worst case scenario...
Step 1: Credit card details get leaked by either an online store or malware in a bricks and mortar PoS system.
Step 2: Cancel credit cards and wait for a new number
Step 3: Update payment details for all those subscriptions you've got going.
Step 4: Ooops, you are already locked out of either 1Password or your ISP for non-payment
Yes, you can alleviate this somewhat by having multiple credit cards, but you need to make your own assessment of which sites data might leak from. Also, in my country, credit cards aren't free.
suggest having at least one credit card account where you can generate virtual credit cards. For me that is Bank of America (Shop safe is the product, I use it all the time, though it does require flash to interact with). I also have other credit cards but it seems that particular capability is far from universal.
I think my (real) credit cards have been compromised 1 time(MAYBE 2) in the past 3 years at this point. I did have one ShopSafe card compromised, which is odd because only 1 vendor ever got the number(hotel reservation system). Because the original vendor did not charge the number, it was still "open" to be used(the moment it is charged it is locked to that vendor). About 2-3 months later a strange charge showed up from another website that I had never used, it was especially weird because there was only that one charge - normally I would see multiple fraud charges in a short time period. After some investigation I tracked it to the specific virtual credit card I used to reserve the hotel room. The vendor that had charged my card with the fraudulent transaction refunded the money. I sent a message to the hotel chain with the details but never heard back. Bank of America saw no need to cancel my main card since it was only shop safe that was compromised (maybe 7-8 years ago their reps/fraud system wasn't sophisticated enough and they would insist canceling my main card when shop safe was compromised even though there was no need, now they know better).
Few years ago I had another shop safe card fraud attempt (that was blocked). I used that card to pay my cable tv subscription, I forgot how I got notified of the charge, but once again the only company in the world that number was given to was the cable company, so the breach happened with them or with their processor. They were very apologetic and offered to pay for credit protection(local cable company not a big brand name). I told them don't worry about it there is no harm done.
so in general for me at least credit card security(whether it is chip and sign or swipe) really hasn't been much of a bother for me in many many years. I would say before 2010 my card(s) would get compromised on at least an annual basis, and it was more of a bother.
From the 1password FAQs:
"What happens if my subscription lapses?"
Don't worry, you will never be locked out of your account or your data. If your subscription ends, your account will be frozen but you will still be able to access, view and export all your data.
...So presumably all you need is a working phone with mobile internet, or an internet cafe, or a friend's PC?
Done properly, they guard against "look-alike" URL phishing.
Suppose you meant to go to www.ibank.example.com but instead ended up at www.lbank.example.com. You might not pick this error up when checking the URL bar, because, as is well known, the human brain automatically corrects for this type of error (it's why you can proof for typos and still miss them). If you copy and paste, the impostor web site has your password. But 1Password, at least as I have it configured, does not offer the password in its right-click menu; all you will see is "Generate", because lbank.example.com is not in your vault.
Not all available password managers get this right, but 1Password is one that does.
Does everything have to be a subscription?? I really like 1Password. I've been using it for over a decade. It works great. I wish they wouldn't have gone to subscription. Sure, better for revenue, I get it. But they make a great product and I would always purchase the update. To me that's much more reasonable. I just don't want to be locked into paying EVERY MONTH for something that already works just fine.
I've stuck with this (bought) AES256 encrypted tray program because It supports hierarchical folders of various custom named items, like a filesystem, random/custom-rule password generation/history, with custom sorting; not all supported by other password managers I've seen.