(I actually wanted to write about this in 2017 but I kinda forgot the draft, lol)
Oh yeah, Password Managers, something I both love and hate at the same time, they can help with Security, but at the same time totally and completely destroy it, and the widely known Password Manager 1Password by AgileBits went on and annihililated customer trust. (and of course, I am going to need a Thesaurus, yet again -.- )
So the whole Journey started almost three years ago, when they introduced accounts, subscriptions, a website to view and edit your passwords and how could it be different, an in-house sync service, that's forced onto the user who gets the subscription, and there we start to get problems.
other online-based password Managers like Lastpass already had "intresting" outcomes having security issues, being bought by other companies and a lot of other things that can worry customers.
The Problem starts with the - fairly obvious - fact that you dont have control over your db (Database, basically the file(s) where your encrypted passwords are stored) anymore.
This means that when the company closes their doors or just discontinues the product, you really need to go and export the passwords or you will have a problem.
In comparison, a good offline password manager has in the best case an open database format which allows people to write decryption and export software themselves or other password managers to create a direct import function, which allows you to keep access to your passwords even if you lived under a rock while the company axed itself. With a subscription based Password manager, as soon as the last subscription expiry date the software knows (depending on how the software protects itself, even earlier) has been reached, you will have to go online and re-check your subscription and if all the data is online on their service, the data may be gone already.
They also COULD do a whole lot more, which wouldnt be too uncommon for online based services, like enforce updates whether you like it or not, at the very least on new machines.
1Password assured in 2016, when they created the account feature and subscription model that they there were "no plans to eliminate standalone licenses or existing sync methods" or that they won't forget their roots of their "decade history of selling licenses", but I think we all know where this is going.
The original spark for this post in 2017 was that they stopped listing the standalone Licenses when Version 6 came out, pretty much about 2 years ago
according to them it was just "no longer being marketed" and if you go through the thread you can see that they are heavily pushing for their subscription model while on the last page even stating that for version 6 on windows, the subscription is the only way. I did not use it past my trial but I am pretty sure they still had local vaults at least in a later version of 1Password 6, as there was no big headline - at the time.
as said on the top I kinda forgot about the draft of this post 2 years ago but it was lit up again by a recent tweet by APT FancyBeluga (@WickedProbl3ms).
Apparently, 1Password just dropped the ability to create local vaults, which obviously sounds VERY bad, but let's take this one step at a part. As we say here in Germany, you generally don't eat stuff as hot as you cook it.
So what was specifically removed: Simply said the ability to create New Local vaults on iOS.
what was NOT removed is the WLAN-based sync between Apple devices, nor the dropbox sync. This means that at least you haven't fully lost control over this - yet.
The reason they said they were doing this was originally to no longer allow 1pw to be used for free on iOS as it was fairly often listed as one of the " best free password managers", which they wanted to be, which I can understand, BUT pro Users were also affected, which is where it gets "entertaining".
BUT WAIT, THERE'S MORE!
According to German Tech-News Site Heise.de, "in 7.3.3 all mentions of the previously sold Pro version vanished", this definitely just screams "nobody has the intention to eliminate standalone licenses or existing sync methods."*, doesnt it? Well I THINK NOT!
Also very "pleasant" is the fact that this change came in 7.3.3, a point release. While Semantic Versioning is more a thing about APIs but can be applied to versioning in general, and changes which make things work differently (or not at all) compared to before, like removing such a feature, generally require a change of the major version, and not be in a small-ass patch version so people won't notice.
and guess what - I ain't finished here, they also didnt even think it was important enough to mention in a chnagelog as they thought the use case is rare enough to not have anyone notice. I can just facepalm at this PR disaster. That is a good part of the customer trust in shambles, just "awesome", isn't it?
Conclusion
I am honestly VERY interested in how this will play out the next few years but this is certainly laying the groundwork for much more drastic changes. let's see whether they step further into the dark side or get out before it get's too bad.
- This is a reference to Walter Ulbricht who famously said "Niemand hat die Absicht, eine Mauer zu errichten" which translates to "Nobody has the intention of building a wall", when being asked literally less than 2 months before the Berlin Wall was built