Some fellow security professionals and I some qualms about 1Password 8. In particular, for those of us that were using iCloud sync (and Dropbox sync before), this significantly changes the threat model.
Because 1Password's Chrome extension has been breaking and will soon stop working entirely, I was forced to switch to 1Password 8.
Setting aside concerns about heavily relying on browser technologies instead of a stable native codebase, my biggest qualm is the lack of third-party sync. iCloud sync had some limitations/quirks, but it worked perfectly well enough, and I had a lot of confidence that neither Apple nor 1Password could access my data under an honest-but-curious threat model. For my data to be compromised, either would have to hack the other's infrastructure through a malicious update. In particular, I always have to trust the hardware not to be malicious, and it was good from a security perspective that the cloud sync was integrated with hardware security.
1Password has forced me to put all my trust in one basket, and I'm deeply unhappy about that. It feels they're doing this as much to force users into a subscription model as any other reason. But I would pay an extra monthly cost just to not store data on their servers.
If I switch password managers, it will probably be over this issue.
Some fellow security professionals and I some qualms about 1Password 8. In particular, for those of us that were using iCloud sync (and Dropbox sync before), this significantly changes the threat model.
Because 1Password's Chrome extension has been breaking and will soon stop working entirely, I was forced to switch to 1Password 8.
Setting aside concerns about heavily relying on browser technologies instead of a stable native codebase, my biggest qualm is the lack of third-party sync. iCloud sync had some limitations/quirks, but it worked perfectly well enough, and I had a lot of confidence that neither Apple nor 1Password could access my data under an honest-but-curious threat model. For my data to be compromised, either would have to hack the other's infrastructure through a malicious update. In particular, I always have to trust the hardware not to be malicious, and it was good from a security perspective that the cloud sync was integrated with hardware security.
1Password has forced me to put all my trust in one basket, and I'm deeply unhappy about that. It feels they're doing this as much to force users into a subscription model as any other reason. But I would pay an extra monthly cost just to not store data on their servers.
If I switch password managers, it will probably be over this issue.