We can't be the tool for everyone and we're always the first to recognize bugs exist. Unfortunately we also aren't able to fix them all just like I'm sure most people around here have backlogged bugs in the applications they work on. But we do try to prioritize based on severity and how many people are impacted.
I do appreciate the kind words though. We're not perfect, never will be, but we can sure try our best and I think that's all anyone really wants out of themselves.
If you ever run into issues feel free to reach out as well. Happy to help however I can!
I can't comment on the defensive part, but text can often be harder to parse in conversation so perhaps it was that? I generally find our support team to be pretty understanding but I am sorry if our support team didn't properly handle your concerns and feedback.
Feature parity is a tricky one. The Mac (and since it's shared code in a lot of ways, the iOS app) have been around a lot longer. Dating back to just a bit after I started here 8 years ago we started work on 1Password 4 for Mac and iOS.
The Windows app was rebooted completely a few years back and has been playing catch up since.
Feature parity is the ideal, but it isn't something that is going to happen overnight and we're still trying to do a variety of things to make that happen. But without slowing down our Mac team the Windows app will never really reach feature parity. With that in mind I know our Windows team really wants to try to be a lot closer and they're working hard to do it, but we're all sorry it hasn't moved faster than we'd all like.
If you have specific feedback feel free to write into our support and mention me (Kyle) and that your support request be answered by me. Please include a link to this thread just for reference and I'll make sure to look into all of your comments and concerns.
Again, very sorry we haven't met your expectations. Know that our expectations haven't been met either and that we're working hard to try to give everyone what they want on our Windows application.
Sorry to say I don't think any words I'm going to say will help here. You'll just have to keep an eye on what we do I guess.
I've said elsewhere but we won't pretend to be the single password manager that works for everyone and I'm sorry if we end up being one that doesn't work for you. Hopefully one of the dozens of others out there work for you if we don't though.
Thanks for the feedback though! I certainly appreciate it and will pass along the information I've gleaned from this thread to the various people that need to see them.
Unfortunately, the iOS side is difficult. We've done the best we can there given the limitations and our imagination at this time. It's possible we drum up a better solution in the future but we haven't had any major breakthroughs in how best to present the UI for this.
We have filed feature requests with Apple to try to get better mechanisms for making this whole process better though. Hopefully we'll see improvements down the road that help us make a better user experience.
You are correct, you'd need to provide the key to each device.
To sign in on a new device you need:
1. Your email
2. Master Password
3. Secret Key
4. The URL for the server your data resides on
When signing in on a new device we offer a variety of ways to help you do this.
1. Your Emergency Kit, a PDF document, has a QR code that can be scanned on most clients.
2. There's also ways to show the same QR code, or a setup code, within the apps to scan on screen
3. For Apple products we do have a method that saves the Secret Key to the Keychain and can sync via iCloud to help facilitate adding the account to new devices
4. You can always do it manually as well
Hope that helps get a better idea of what has to be done there.
> Will you add support for the newer 2FA options anytime soon?
We've added Yubikey support for the web client and for 1Password for iOS.
We don't comment on future plans because they could change, but we would like to at least see feature parity here in all of the clients, but I can't comment on when that may happen.
2FA doesn't add the same level of security to 1Password as it may with other services so we need to be mindful of bordering into security theater.
> Is there any roadmap on when the newer 1Password X becomes the default plugin for use in browsers? As a Linux user I believe my options to use 1Password are somewhat limited.
I believe that's the direction we're heading but as I mentioned we don't generally comment on specifics. We've done the whole comment publicly and say "yes, it's coming soon" enough times and then had to backtrack and say "sorry, no can do" that we just don't say anything specific anymore for fear of upsetting users.
We always tell people buy for what the product is now, not what it may be in the future. And outlining future plans gets people to buy based on what it may be in the future, and those simply aren't promises we can always keep. So we do the typical under promise, over deliver when it comes to talking about future plans.
Hopefully this doesn't come across as pushing your questions off, that's not at all what I'm intending but clearer answers just aren't something we can comment on at this time.
If you do have any questions moving over though feel free to get in touch via our support page and I'll do my best to get you answers.
You can map things up pretty good here. However, note that Little Snitch may not provide the most accurate domains when it comes to CDN services. So do keep that in mind that it may reverse DNS incorrectly. I believe they document this on their own site as well. There's at least this that I could find:
We went so far as with the Mac application to provide a plist that documents each domain it contacts to give context within Little Snitch, but I suspect you're using 1Password X, which cannot provide the same feature.
There's also an open issue to be able to disable rich icons as a setting there. I was a little unhappy that we didn't provide an option for that feature in 1Password X, and I'll bring up again with that team that they need to provide the checkbox sooner rather than later.
Sorry you got bit by this though and thank you for the feedback!
We still provide local vaults, in fact you can use them via a license (that we still sell) AND you can use them with a subscription.
Want to buy a license?
On the Mac app for instance, open it on a fresh installation. Goto the welcome screen that pops up on first launch, from the list of options choose the "Create a new Local Vault" option in the list. This will take you down the path of buying a license.
Or if you sign up for a subscription, goto advanced options and enable the option to create local vaults. You can sync these to Dropbox or iCloud if you wish, same as you always have been.
There's similar options for Windows. Though it only includes Dropbox syncing and not iCloud.
We still sell licenses, it's not super easy to find but it's there. Open the app on a new machine, on the welcome screen of options there's a "Create A New Local Vault" option, which takes you down the path of purchasing a license if one doesn't already exist.
Those on subscriptions can also still create local vaults as well. You'd have a subscription plus the option of local vaults.
So options haven't disappeared, they're all there.
That said, providing an option without support is kind of bad form. We pride ourselves on providing the best technical support we can for our users. Selling a license and then not supporting it would just not be within what we consider good business or, well, being a good developer.
I think this is probably the better way to look at it.
We seen a lot more "I can't access my data anymore" emails before we had our own service. Those seem to have dropped a lot, at least based on my own experience when doing support, since introducing 1Password.com.
At the end of the day, our 1Password.com solution is also more secure thanks to the Secret Key being used as well. Our local vaults are certainly secure, but 1Password.com is even more secure.
No matter what we do we will have people who don't agree with us. The best answer we can have is be able to logically explain why we have chosen to do something the way we have. Whether the user agrees or not is up to them, but we try to be able to at least explain why we chose to go a direction and hope that the explanation makes the most sense for the most people. We don't always get it right, but we certainly try our best.
You can still make backups on all platforms. So it would be a matter of restoring a backup. Typically someone with local vaults also syncs (to either iCloud or Dropbox) so in theory as long as they still have access to that account they can sign in and access their 1Password data. I'd still suggest backups in addition to that, a sync file is constantly changing, and is not an actual backup.
Thanks for the kind words. I'll make sure to pass this along to our team. It's always great when we hear positives. Sometimes the negatives can overwhelm the positive in terms of feedback.
If I can do anything to help you with the consulting side please reach out via our support team and you're welcome to ask for me. If I can't help you then I'll get you in touch with someone that is able to do so.
We had a greater need for the 1Password.com support in the Windows client. So when we started our rewrite efforts it focused on that.
In general, we'd agree that it took longer than we wanted, and I'm sorry if that caused you to leave. In the end we were really doing the best we could given the demands we had and the time/resources available to do it. It sounds like in this case it wasn't enough.
We can talk all day about bugs and mistakes. They're a fact of life and we are human.
It's also important to remember that your Master Password still plays a role and YOU provide that. If you use a weak Master Password, and we somehow introduced a bug that set the Secret Key to 0's, then your Master Password would be the only thing protecting you. In an ideal world you'd continue to use a strong Master Password.
It is generated locally as I indicated, and as outlined in our white paper.
Where some users get confused, and perhaps rightfully, is that when you sign in you can generate a PDF called an Emergency Kit, that contains the Secret Key. This PDF is generated entirely in JS within the browser. It is not generated on our servers and then downloaded. Some users do get confused about that.
Our web client is effectively a client running in the browser, it's all local and communicates with our servers the same way that a native app would.
I think you may want to take a closer look at how 1Password works. I'll give a quick rundown here, but our security white paper goes into much greater detail: https://1pw.ca/whitepaper
Your data is encrypted locally on your devices, it is never available in a decrypted form on any of our servers. A compromise of our servers would result in the attacker getting gibberish (encrypted data).
To decrypt that data the attacker will need both your Master Password and your Secret Key. A Secret Key is a 128-bit key generated locally on your device, your Master Password is a passphrase set by you. These two keys are combined and, to simplify greatly, used to decrypt your data.
The only way an attacker is going to acquire your Master Password and Secret Key are from your devices. Those are the only places those keys really exist.
Guessing both the Secret Key and a strong Master Password are effectively going to cost such a significant amount of money, or due to time and processing constraints, be infeasible.
An attack would have to be highly targeted. In other words, you would have to be a specific target to make any attack be worthwhile. If you believe you are likely to be the target of such a very specific attack you probably have a team of security personnel working for you who could better advise you than I could.
I'd really suggest looking into how we do things. The only feasible attack on your data would be through your devices, and any other password manager that stores data locally on your devices will be impacted the same exact way in this case.
Hope that helps but if you have questions please let me know and I'll do my best to help get you answers.
I won't pretend that we're the password manager for everyone. If we're not the right one for you then hopefully one of the dozens of others out there fit the bill.
I appreciate you taking the time to respond and let me know your opinion on this though. Thanks!
We can't be the tool for everyone and we're always the first to recognize bugs exist. Unfortunately we also aren't able to fix them all just like I'm sure most people around here have backlogged bugs in the applications they work on. But we do try to prioritize based on severity and how many people are impacted.
I do appreciate the kind words though. We're not perfect, never will be, but we can sure try our best and I think that's all anyone really wants out of themselves.
If you ever run into issues feel free to reach out as well. Happy to help however I can!
Kyle
1Password Security Team