Agilebits Support

| 02-05-2021
[RAND-1-100] Comments



In December 2012, AgileBits introduced the OPVault format to replace the Agile Keychain format, which had been introduced in 2008. A word about names “OPVault” can refer both to the data security design used in 1Password and it to a particular file format typically with the filename extension.opvault.

Agilebits Support

Agilebits Support

I have been an AgileBits/1Password customer for 4+ years. I supportsmall companies that have laser focus and excellence... which iswhat AgileBits seemed to be.

  1. 1Password for Android has full support for team and family accounts. It’s never been so easy to share the simple security of 1Password with those you work and live with. Add all your accounts —.
  2. AgileBits 1Password is horrible AgileBits 1Password is horrible. Their support is beyond bad. They do not have records of your purchases and you will waste untold hours on this system. After you buy something from them, they drop it and try to force you to something more expensive.
  3. In fact, since AgileBits wasn’t even prepared for this kind of influx of users, the company turned to a third-party call management service that will help to provide phone support in order to.

However, I've had a lurking concern that a proprietary softwarecompany secures my most guarded secrets with closed source software.Recently, AgileBits has demonstrated that they are not a trustworthycompany.

I will tell you the story. I am also moving off 1Password and recommendthat if you're a 1Password user that you seriously consider movingto another password manager.

The Backstory

I use 1Password on my Mac. I use 1Password on Windows (thelatest version). I use 1Password on Linux(version 4 because Wine won't run the latest 1Password 6).

I have always used a local vault with 1Password and I syncthe local vault via Git/SSH on a server I own and control.No Dropbox. No easy access to a third party and no accidentalway for my password vault to show up in a mass breach. Yes,if someone wants to target me, they will likely obtain myinformation, but absent a targeted attack, I feel safe.

I installed 1Password 6, build 333 on a Windows box a few monthsago. It worked fine and let me access my local vault. Yay!

When I went to install 1Password 6, build 377 on my newest Windowsbox, I was unable to access my local vault. I took to Twitter toask the AgileBits folks what was up.

Agilebits Support

They claimed that 1Password 6 is and always has been a cloud-only offering.This is not true. I pushed on it and AgileBits doubled down onthis lie (and yes, I use the word 'lie' with full understandingthat it requires the intent to deceive.)

What's the Issue?

Over the last year, AgileBits has migrated its business model fromone-time software sales to a monthly subscription model with their cloudoffering.

The migration makes perfect sense from a revenue and competitive perspective.

From a revenue perspective, the $100 +/- I've paid AgileBits for the softwareis not optimal to keep a team fixing and improving software. I paid once,but I expect updates and fixes. Lots of companies are moving toa subscription model and it makes sense to align revenue with costs.

From a competitive perspective, LastPass is eating 1Password's lunchand as password management because organizational secrets management,a cloud offering makes a ton of sense.

I applaud both the migration to subscription and a move to the cloud.

Except, I'm not going to store my password vault in another company's clouduntil I've seen how the company handles a breach.

So, I want to continue to use 1Password, manage my own vault on myown server, and wait to see how their cloud offering evolves.

But... they are forcing people to the cloud and not being honestabout this direction.

And if a company that has code that is proprietary and houses mymost important secrets is going to be anything other than totallyhonest about changes, I cannot trust them and cannot use their software.

When a support representative makes repeated false (and demonstrably false)claims in furtherance of the company's current agenda, that's a lie.

Trying to be calm

After a calmer (and smarter?) person, @diligiant,triedto calm me down, I decided to reach out to AgileBits privately tofigure out if the Twitter support person was just mistaken anddidn't really understand the gravity of situation.

Agilebits

So, I wrote a direct letter to the AgileBits folks to see ifthey would be honest:

Folks,

I've been a 1Password customer for more than 4 years.

When I was VP Engineering at kiva.org, I advocated for Kiva to move from LastPass to 1Password. I have been more than a user and a customer... I've been a fan. I've even written about how to run 1Password on Linux: https://blog.goodstuff.im/1password

But on Tuesday, I downloaded Build 377 for Windows to install on a new Win10 machine. I looked for the 'advanced options' selection so I could use 1Password 6 with my own managed vault rather than using 1Password's cloud. I could not find the option. So... I tweeted:

Looks like @1Password is forcing people to their cloud offering… anyone have a cross platform password Mgr they love? https://twitter.com/dpp/status/842464449894080513

I got a response from @1password:

@paddytanguy @dpp @ashleymcnamara 1Password 4 continues to work without an account, as always. Version 6 has always required an account. https://twitter.com/1Password/status/842146224379727873

This is a lie. And I mean this with the full reading of the New York Times' discuss of what a lie is: https://www.nytimes.com/2017/01/25/business/media/donald-trump-lie-media.html

As of build 333, there was an advanced option to use my own vault. What's worse, as of LAST NIGHT, there was a mention on 1password.com of using DropBox and other mechanisms for syncing vaults. As of this morning, that mention is gone. However, on your support site, there's still the option of using 1P 6 with DropBox: https://support.1password.com/sync-with-dropbox/

Here's the 'alt-facts' attempt at a walk-back:

@dpp there’s no lie in saying that 1Password 6 for Windows has always required an account to work fully. https://twitter.com/1Password/status/842453820290527232

I am a huge fan of companies making money. I want the companies that supply me to be in business. I am happy to pay money for software, hardware, services, etc.

I am also a fan of open source and a decade into the https://liftweb.net project, I sympathize with companies trying to do open source and make money. So, I understand why AgileBits is not open source.

But closed source security software scares me because there's no way for me or others to audit the code... the code that stores my most sensitive information. So I have to trust the vendor.

Large vendors like Apple, Google, and Microsoft have certain pressures on them to generally do the right thing. I don't feel great about trusting them, but they are not going to give up my information except to another entity as large as they are. They do care about security against non-governmental attacks. And Google is especially good at dealing with targeted and semi-targeted attacks.

When your representative lies... not simply spins... but makes a statement that 'we've always been at war with Eastasia'/'1P 6 on Windows has always required a cloud account', it calls into question AgileBits' ethics and once a small, proprietary vendor's ethics are called into question, I tend to avoid that vendor.

I had originally intended to write this as a blog post, but I appreciate the quality of product that has been 1Password and I appreciate AgileBits' blog posts on security.

So, if AgileBits is going to a cloud-only model, please be totally transparent that AgileBits will at some point phase out support for personally managed vaults and AgileBits will at some point phase out support for 1P 4 for Windows. When I say, 'please be totally transparent' I mean 'write a blog post and link to it from your home page.' And also, please specify how AgileBits will manage security for its cloud offering... and yes, security for cloud is radically different than security for desktop.

If AgileBits just wants recurring revenue from me, I'm down with that. But, I want to manage my own vaults. I will pay periodically for the right to manage my own vaults.

Please let me know what the story is by March 24th. Please be honest (and that likely means escalating this note beyond customer service/sales). Any further lying or attempts to spin will result in this message becoming a blog post and a warning to avoid AgileBits because of the ethical issues related to a small, proprietary security vendor.

Agilebits Support Phone Number

Thanks,

Support

David

AgileBits does a Kellyanne Conway and doubles-down on a lie, AGAIN

Hi David,

Thanks for taking the time to write in, and for your patience.

I'm certainly sorry for any confusion, and for the obvious frustration we've caused.

But on Tuesday, I downloaded Build 377 for Windows to install on a newWin10 machine. I looked for the 'advanced options' selection so I coulduse 1Password 6 with my own managed vault rather than using 1Password'scloud.

1Password 6 was initially created and released for use with 1Password for Teams, and isn't considered to be an 'upgrade' to 1Password 4. 1Password 4 is the current version for use with the standalone license, and allows you to continue syncing your locally-stored data with Dropbox. 1Password 6 is intended for use with 1Password Membership accounts, whether that be the Individual account, the Family account, or the Teams account. This is also why when you tried to go to 'advanced options' section, you didn't see mention of syncing via Dropbox, iCloud, or WLAN server sync. With 1Password 6, your data gets synced across our secure servers, so there is no option to sync via Dropbox.

Whenever you see mention of syncing with Dropbox on our support site, that is in reference to the older standalone license model, and using 1Password 4. That being said, we do allow you to connect to your Dropbox-synced vault in 1Password 6 for Windows, but only in read-only mode so that you can easily transfer your data from your Dropbox account into your 1Password Membership account.

So, with 1Password 4, you can actively sync your locally-stored data with Dropbox, as you always have in the past. With 1Password 6, which is intended for use with our subscription-based Membership accounts, you can still access the 1Password data stored in your Dropbox account, but you can't create and sync new data that way. Instead, the data in Dropbox is in read-only mode, with the assumption that you're just accessing it in order to move it from Dropbox into your 1Password Membership account.

I can absolutely see how this is not nearly as clear as it should be, and I sincerely apologize for that.

But closed source security software scares me because there's no way forme or others to audit the code... the code that stores my most sensitiveinformation. So I have to trust the vendor.

For 1Password.com web service, we rely on two separate keys that that are never transmitted to us in any way or shape, your master password and your secret account key. You can find out more here (https://support.1password.com/secret-key-security/) and our technical security whitepaper (https://1password.com/files/1Password%20for%20Teams%20White%20Paper.pdf). With that, the next is the implementation, 1Password.com has been security-audited by three separate companies as shown on our list here (https://support.1password.com/security-assessments/). Even if you don't trust our implementation, I would encourage giving the technical security whitepaper a read, just to see what we're doing, even if you have no plans to ever use it.

So, if AgileBits is going to a cloud-only model, please be totallytransparent that AgileBits will at some point phase out support forpersonally managed vaults and AgileBits will at some point phase outsupport for 1P 4 for Windows.

Just to be absolutely clear, we still support 1Password 4 for Windows. We also still sell the standalone license for existing users, or for those who specifically request it. Just because we're currently super excited about our Membership service doesn't mean we've abandoned support for the standalone model. We understand that the standalone license fits some use cases that the Membership may not, as far as local storage and syncing manually with your preferred method. We have no plans to stop supporting 1Password 4 for Windows, or our customers who have standalone licenses.

We don't plan to 'phase out' support for our older versions. For example, we're currently on 1Password 6 for Mac, and yet still support 1Password 3. We also had a product, Knox, that while we no longer sell or develop it, we still offer support. You are not required to move over to our Membership service if you're happy with the standalone license set up. However, you will need to use 1Password 4 for Windows if you're wanting to continue syncing with Dropbox, rather than moving your data from Dropbox to a Membership account.

Agilebits Support Jedi

The support articles referring to Dropbox sync for Windows are referring to 1Password 4. While you can access your 1Password data in Dropbox with 1Password 6, it's only in read-only mode for purposes of moving it. For active use of Dropbox sync, you'd still need to use 1Password 4 for Windows.

Again, I'm very sorry for the confusion, and I'm particularly sorry that you feel like we've lied. That was never our intention, as I mentioned we absolutely still support standalone licenses, but even in trying to explain the Dropbox issue here, I struggle to find the right words, so I can see why the answer you received on Twitter could be seen as misleading. That wasn't our intention either, but the bottom line is that for those using the standalone license model, or trying to use 1Password with Linux, 1Password 4 is the version that will allow you to sync with Dropbox, and manage your data, whereas 1Password 6 for Windows is intended for use with the Membership service.

Please let me know if I haven't addressed your concerns and I'll be happy to give it another shot.

Kind regards,

TraAgileBits Support

What's wrong with this response?

AgileBits' web site, at the time of the rep's response, claimed that the usercontrols the location of their vault and'sync it yourself' wasan option at the time that the rep told me that 1Password 6 is cloud-only.

So, either AgileBits web site is wrong or the rep is wrong.

Until AgileBits removed the 'choose your own local vault' UI option (between builds 333 and 377), the abovestatements were true for 1Password 6 and 1Password 4 for Windows. Further, upgrading a build 333 withlocal vault only to version 377 allows me to continue to use my local vault.

Agilebits Support Forum

So, at some point AgileBits decided to force people to their cloud offering and continues totell their customer service reps to lie about it.

Further, there's no commitment to continue to support 1Password 4. The response is 'trust us!' But,I don't trust a vendor that has its customer service reps lie and double down on those lieseven when the truth (1Password 6 worked with local vaults until very recently) isdemonstrated as false.

Why you should move away from AgileBits

AgilesBits is changing revenue and business models. This is great. Vendors shouldmake business choices that allow them to stay in business and service theircustomer base.

But, AgileBits forcing people into their new revenue model byremoving UI access to features that already exist in the productis somewhat shady.

What's worse, AgileBits is lying about the changes to their product.

Agilebits Support

Agilebits Support

So, what's the next revenue model that AgileBits adopts? Putting backdoorsinto their products? Turing a blind eye for $ to a vulnerability thatsome non-governmental agency is exploiting?

Agilebits Phone Support

AgileBits will drop support for 1Password 4 as soon as AgileBits' contractualobligations to large customers ends. When is that? I don't want to find outthe hard way.

AgileBits will continue to make changes to their software that forcesusers to AgileBits' cloud... including changes to Mac, iOS, and Androidversions.

When a security vendor lies and sanctions their support people's lies,you have to move away from that security vendor.

I am moving to a new password management vendor this week.

If you're a 1Password user, please think about when you're going to move.

If you're considering 1Password or AgileBits' cloud offering, ask'do I want to put my company's secrets with a vendor that is dishonest?'