[ben509]

> I really don't want to store my passwords on your "servers", and I'm sure there are few others like me - not a majority.

Businesswise, it makes sense as a first push: get a solid UX working for existing 1pass users who sync via the cloud better access on Linux. Then move on to the less glamarous parts like local vaults.

> I just don't want anything to do with my entire vault being hosted elsewhere, potentially irrational...

There is no logical mechanism that can tell you the correct amount of risk to take on, and yet you can't take actions without accepting some degree of risk. You can't justify your tolerance of risk, so it can't be rational, and yet you have to take an action, therefore you can't be fairly accused of being irrational. It's thus neither; I call it "arational" behavior.

You might think, hold on, there's a logical way: I'll look at what happens to a group of people pursuing different risk strategies, then model the expected risk vs return, and thus I can determine the optimal level of risk.

But I'd argue it's fallacious to apply that general claim to the individual. For one, you invariably have a set of outliers who were overly risky and beat the odds, were they all wrong? If not, what's the cutoff point, and why? (And likewise, a set of outliers who were unlucky despite being overly conservative, were they also wrong?)

Another reason is, as they say in finance, "past performance is no guarantee of future results." Any model you come up with to justify a risk strategy can and will be invalidated as history unfolds.

[burnte]

If you can't trust them to host an encrypted blob, you can't trust them to run code on your local machine. I agree with you that the resistance isn't rational.

[jooize]

Hosting my encrypted data means anyone with sufficient access at any single time can copy the encrypted data and attack it or me, then or later when eventually feasible.

Hosting only an executable I download and execute means the adversarial extraction of data must be contained within the executable and bypass all security from within my system. There is a window of opportunity for sending out a signal indicating the executable can not be trusted.

I do trust the team of 1Password to be competent and not evil, but there are many things that can go wrong anyway.

I remain disappointed that there is no way to set up nor configure a 1Password.com account without the web client.

[ntucker]

> I do trust the team of 1Password to be competent and not evil, but there are many things that can go wrong anyway.

Very much this. I don't benefit in any way from having a copy of my sensitive data in their cloud, so as a very basic security principle, I don't want them to have it.

And that's just for my personal use. If they drop support for local vaults, I have to stop using it for work, too, because my employer prohibits password managers that store passwords in the cloud. My understanding is that these policies are specifically designed to keep us in compliance for government contracts, so I don't think they're changing.

[cmckn]

I agree; and unfortunately I found self-hosted vaults to always be a bit challenging to get right, if I wanted to use my vault on multiple devices. The local-network only sync engine never worked for me, so I ended up using another third-party's servers to sync anyway. I signed up for 1password.com a couple months ago and it's been painless. To each their own!

[infogulch]

> an executable I download and execute means the adversarial extraction of data must be contained within the executable and bypass all security from within my system

(emphasis mine)

Security is about having layers. I can't begrudge someone wanting to add layers to their security.

[risyachka]

True, but same goes to hosting your own server.

And I would bet that a team who's job for many years is to ensure the safety of your data will do a better job at it than 99.9% of users that host it themselves.

[lawnchair_larry]

That isn’t logical at all. The two are completely different threat models.

I used to be a happy 1Password customer until they decided that they did not want people like me as customers. I trust the code, I don’t trust them to store my data, encrypted or not.

[akerl_]

Why not keep storing your data locally, the same way that you were before?

[maxgee]

They've absolutely crippled 1password to make local vaults as difficult to buy and use as possible. They don't roll out updated versions as often, many versions don't get support for local vaults for years, they make it nearly impossible to buy the non-subscription version, and you can no longer upgrade older licenses to use new versions.

Their entire business model is really sleazy and they've gone out of their way to alienate people who don't want to pay for a subscription and hosting service for something as simple and secure as locally encrypting passwords. I was a loyal customer for a long time but after a few years of them jerking non-subscribers around, I got tired of it and tell any friends and family to stay away from it.

Every company that has moved to a subscription and cloud-based product has essentially traded a one time $30-50 license to getting that (or more) every year, and the product is usually inferior from my experience.

[chipotle_coyote]

> Every company that has moved to a subscription and cloud-based product has essentially traded a one time $30-50 license to getting that (or more) every year, and the product is usually inferior from my experience.

Two mild counterpoints:

(1) While "from my experience" is always definitionally anecdotal, most applications that I'm aware of that have moved to (or started with) a subscription-based model have released new features on a rolling schedule that's at least as fast, if not faster, than the "one-time license" model. On the Mac/iOS, there's Ulysses, Fantastical, and Drafts off the top of my head; cross-platform, the JetBrains IDEs all come to mind. (They're not precisely the same model due to their "perpetual fallback license" approach, but they're definitely trying to drive you to subscribe.) And, for all the mostly-deserved hate Adobe gets, their release cycle appears to have picked up speed since they moved to a subscription model.

(2) The one-time license model works great for applications that don't need any updates in the future beyond perhaps bug fixes. If you want ongoing support and new features, where does the money to support that come from? In years past it would have come from upgrade pricing, but programs went years between new releases and there was nothing that compelled users to upgrade if the old program was still working on their hardware. I get that as a user that's great, but for developers, it's, well, rocky. It was livable a decade ago because those big application programs were way more expensive. At today's prices, where $39 seems kinda steep, that may not be a workable business model.

As for 1Password specifically, I run it on a work laptop, a personal laptop, an iPad Pro, an iPad Mini and an iMac, and keeping the various "local vaults" in sync was always a bit of a pain in the ass -- and of course there was no way to access that vault over the web on a different machine if I really, truly needed to. And I know more than a few people using 1Password for Families. I don't think it's a "really sleazy" business model at all. It may be a business model that you don't like, but that's not the same thing.

[pseudalopex]

1Password used to let you host self host web vaults. Dropbox and iCloud seem to work fine where they're still supported.

Dropping local vaults in an iOS patch was kind of sleazy. So is downplaying the ways the new security model is worse.

[bwoodruff]

I really don't think I could've said it better myself. Thanks for the comments. - Ben, 1Password

[wolco]

Subscription model forced on a local password manager customer? A little sleazy.

[pseudalopex]

Maybe they weren't. 1Password used to support self hosting and third party sync services. Some versions still support some third party services but only subscriptions work everywhere.