Who moved my cheese, 1Password?
Kenn White

Yes, this echoes my experience. A product I’ve been recommending makes a change which is (sorry, but thats how it feels) badly communicated, and when asked about it, instead of giving simple direct answers goes to what looks like obfuscation (I think it was just social media effects, timezones, lag and the usual miscomprehension of what people think they are saying and what we think we read)

I see little or no reason to say ‘don’t store local’ other than ones they validate for themselves. MVP and product design often includes ‘ask the customer’ and had they done so, I (for one) would have said “sure: include cloud, but please, don’t deprecate local”

I’m using BTsync/Resilio cross platform to share out my “local” file storage and whilst I recognize the risks, I feel like I own the crypto chains behind my device-to-device share, and I like that. Put it in the cloud, and how do I know the provider is honouring the spirit of what I wanted?

What (in the end) distresses me most, is that a few years back now I asked 1P about PKCS wrap on the export blob: There is actually a standard for signed exported data, but no: they dump a plaintext CSV. So you *can* get your credentials out to upload, but the one thing they don’t do, is help protect them when you do: I feel that a real security company with my best interests at heart would not simply dump my privates back on me in clear, but would use the industry standard to do shared-key wrap.

I am still using 1password. I feel significantly less happy about them than I did, and I feel a change I didn’t want, which is being justified on things I think misjudge the need in security is being foisted on me with no choice. I thought I was dealing with a vendor who respected the markets views on the product. I now feel like nudge theory says something else to me: I’m being nudged to either do it their way, or go away.

I still think 1password is best-of-breed in terms of the actual keystore protections, and rapidity of bugfix, and concern for underlying security of the moment in passwords. I struggle to understand why 2FA is taking so long to be added, (I use other 2FA browser plugins which fundamentally weaken what a second factor IS) and I am considering Yubikey and other choices to back local crypto storage of what I think I need to protect.

Like what you read? Give George Michaelson a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.