Internet Insecurity

Why Security Experts Are Pissed That ‘1Password’ Is Pushing Users to the Cloud

1Password is moving away from its one-time license, local storage option, and security researchers are not happy about it.

Image: Dean Drobot/Shutterstock

If you're worried about getting hacked and want to keep your data safe, one of the easiest things to do is use a password manager, an app that let's you create and store unique passwords for all of your services in a secure vault. If you use one of these, all you need to remember is one strong master password—something your brain can very well do—and the app takes care of remembering dozens of unique passwords across the web.

There are many different password managers, but in the last few years, 1Password has become a favorite for hackers and security researchers who often recommend it above all other alternatives.

What makes 1Password different, and more desirable for certain sectors of the hacker and security community, is that it allows users to keep all their passwords stored in a local "vault," a password protected database that only lives inside their computers or smartphones. For some, this is better because your passwords never leave your computer, meaning that the user has complete control over their passwords—a hacker would have to go after that specific user as opposed to possibly getting them from 1Password if the service itself is hacked.

Last weekend, though, several security researchers tweeted that 1Password was moving away from allowing people to pay for a one-time license and have local password vaults, in favor of its cloud-based alternative that requires a monthly subscription.

"Unfortunately, 1Password is betraying their users and moving to a subscription-only service. This is unfortunate," tweeted the official account of the Crypto Village, a privacy and encryption workshop. "We cannot recommend them."

A 1Password engineer explained in a Twitter chat that the company knows "without a doubt that 1Password.com is better for usability and security," referring to the cloud-based option, which costs $2.99 per month (or $4.99 for an account for up to five people).

"We want our customers to get the best. Some people won't agree with that (which is fine!) so we'll work with them to get set up how they want, but for 99.9 percent of people, 1Password.com is absolutely the way to go," Connor Hicks, an engineer at 1Password, told me.

Using the cloud-based alternative is much easier for regular people. You can check your passwords from any computer by logging into your account on 1Password.com, and your passwords can still be retrieved if you lose your device. This is the same model most password managers (such as LastPass) use.

Hicks also clarified that the new 1Password for Windows is "is built for1Password.com and has no licence option." So, in practice, Windows user already are forced into the cloud. Hicks, however, said that if a user wants a one-time license she or he can email the company and 1Password will "help them determine if a license is really what's best for them."

In other words, 1Password really wants you to stop using its local storage version, though Hicks also added that the company is not planning to "remove support for local/Dropbox/iCloud vaults from the software," at least for now.

Whitney Merrill, a security and privacy expert, told Motherboard in a Twitter chat that "it's troubling that 1Password, a company that has traditionally been very loyal to its user base, could make such an impactful decision (subscription model and loss of local vault) without transparency to those users."

"I make a huge effort to keep my computer secure," Merrill added, "when I give all my passwords to a third party that means I need to trust them and their security."

If you use 1Password, sounds like you'll have to trust them too.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.