Six Colors
Six Colors

by Jason Snell & Dan Moren

This Week's Sponsor

End users aren't your enemy! Kolide gets users to fix their own device compliance problems–and unsecure devices can't log in. Click here to learn how.

By Jason Snell

1Password wants you to sync via the cloud, but won’t force you

Note: This story has not been updated for several years.

Over the weekend it seems that there was an uproar about the future of 1Password, despite a seeming lack of new news on the subject. Lorenzo Franceschi-Bicchierai summarizes at Motherboard:

In the last few years, 1Password has become a favorite for hackers and security researchers who often recommend it above all other alternatives… Last weekend, though, several security researchers tweeted that 1Password was moving away from allowing people to pay for a one-time license and have local password vaults, in favor of its cloud-based alternative that requires a monthly subscription.

It seems to me that there’s some conflation going on here. As with so many software products that mix mobile and desktop and cloud, 1Password’s publisher decided that the way forward for the product was to create a subscription package1. When you subscribe to 1Password, you also get access to 1Password’s new cloud syncing service.

1Password believes—correctly, in my opinion—that for most users, a built-in cloud sync service designed specifically for 1Password is going to be a better option than using another cloud service like iCloud or Dropbox, which 1Password has supported for quite a while. 1Password is quite open about how its security is designed, including the fact that the decryption key for your passwords is never synced with the cloud, so even if a hacker were to penetrate 1Password’s security and get your online vaults, all they’d get access to is doubly-encrypted garbage.

Judging some of the Twitter threads I read today, what’s really happening is that some people simply hate the idea of software subscriptions and are sowing fear over 1Password’s security and local file syncing as a way of lashing out.

While Kate Sebald of AgileBits told me today that 1Password’s sync service is actually more secure that syncing a local vault via Dropbox or iCloud, it would have been a whole lot harder for AgileBits to convert users to a subscription model without a cloud-syncing service. Countless software companies have realized that offering ongoing subscription fees, integrated cloud services, and mobile-device syncing in a package is the best way to generate a sustainable revenue stream. I pay an annual fee for Office 365 and Adobe Photoshop and, quite frankly, they’re worth it. (And yes, both of those subscriptions include desktop, mobile, and cloud features.) Is 1Password worth $36/year (or $59/year for a family)? I think so, but your mileage may vary.

Still, AgileBits knows that a (loud, angry) portion of its customer base hates software subscriptions. A senior AgileBits person told me via email today that while it would have been much easier for the company to make 1Password a subscription-only product years ago, it has instead done extra work to allow both models to coexist.

As for using local storage for 1Password vaults: Sebald emphasized that the company will “go to great lengths to preserve [the] choice to use local vaults, even if we are encouraging new users to make a different choice.”

In other words: AgileBits is building a cloud service that it feels is safe, secure, and convenient for the vast majority of its users. But 1Password still supports local storage, too—and it seems like it will do so for the foreseeable future2. The app isn’t going to force you to sync your passwords via its cloud service if you don’t want to. However, in terms of what the company communicates to its user base and recommends to new users, that’s going to be focused on using the sync service rather than local vaults, and the company is building new features like Travel Mode around the sync service.

  1. An AgileBits engineer insists that the need to add features via a cloud service motivated the decision. Could be. But selling upgrades can be difficult, especially once cloud services and mobile apps get thrown into the mix. 
  2. Windows version 6 does not support local vaults, but version 4 still works. Still, this does show that AgileBits is not prioritizing local vault features. 

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.

Search Six Colors