nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

1Password won't axe private vaults. It'll choke 'em to death instead

Developer promises not to force peeps to the cloud – which it says is way, way better

By Shaun Nichols, 13 Jul 2017

The maker of password manager 1Password says it will not force its users to stop using private password vaults – as it sweeps this local storage functionality under the rug.

There was growing alarm in the computer security community this week that 1Password local vaults were going to be a thing of the past.

Basically, if you – as many do – opt for the local approach, your credentials for websites and other online services are held in an encrypted data store on your machine, and you can optionally back up this enciphered database to third-party cloud storage or a separate drive. This allows you to use complex passwords for websites: they're stored in your vault, and recalled when necessary, provided you give the master password to unlock the store.

Alternatively, you can subscribe to 1Password.com, where your local encrypted password vault is synchronized with a copy held on 1Password's servers, so that if you lose your local copy, such as if your laptop gets nicked, you can retrieve your encrypted credentials from the 1Password cloud. You can also access them from another machine. This costs a monthly fee.

The downside to the subscription scheme is that you're trusting 1Password.com with all your passwords. Although they are stored encrypted on its servers, they are accessed through your web browser, so anyone who manages to hack into the service could – potentially, worst-case scenario – screw around with the JavaScript code that's served to browsers to subvert the encryption and decryption process and thus break into a lot of people's vaults.

1Password's developer AgileBits, based in Canada, reckons that won't happen due to the protection mechanisms it has in place. In fact, it's so confident in its centralized security that it would greatly prefer users opt for the paid membership plan over local storage, where you basically fend for yourself to stay secure. In a support forum post earlier this year, a rep told users:

1Password is no longer marketed as a standalone product. We strongly feel that our 1Password memberships provide a much better experience. If you would like to discuss your particular situation, and what solution may work best for you, please feel free to email us at sales@agilebits.com.

In other words, no one is being forced to drop their local vaults, but AgileBits won't promote them nor willingly sell licenses to its standalone apps. Instead, the biz will "emphasize" its cloud subscription package.

"Regardless of the exact trigger for the sudden proliferation of this belief, folks have speculated that we're sunsetting local vaults from time to time almost since 1Password accounts were announced," a spokesperson told us on Wednesday.

"They're still here and we have no plans to change that. For 99.9 per cent of our customers, a 1Password membership really is the best choice, so we do emphasize that option."

In fact, AgileBits is so certain users should pick the cloud service, it has all but erased any mention of local storage. Going back to March, AgileBits has held a policy of not marketing a local vault option for 1Password.

"Our customers aren't all security researchers and IT professionals. They're college students, retired steel workers, stay-at-home moms and dads, lawyers and everything in between," the outfit said.

"Many of these folks don't want to mess with manually setting up sync, so we emphasize an option that doesn't require that. But the choice to use standalone vaults remains."

In short, you can still use your existing private local vault with 1Password. If you're new to 1Password, get in the cloud with everyone else. ®

The Register - Independent news and views for the tech sector. Part of Situation Publishing