I agree that local vaults were fine for individuals, I used 1PW for 8 years before I upgraded to their cloud based service. But that model wouldn’t have worked for businesses or even families that don’t share an iCloud account, etc.
1PW is now much more than a password manager and offers many kinds of enterprise security services. No one likes price increases but they aren’t unique to this one company.
But that’s not what was said. we were talking about the recent increase in subscription costs. not the implementation of the original subscription costs which happened at about the time (with some crossover) that local vaults were deprecated.
Interesting article. However, I’m more concerned than ever of the surface of attack for cloud services. Especially with AI. This makes me nervous. Companies like HeyGen can probably pass most people’s biometrics apart from fingerprint, which iPhone no longer uses. My bank requires a photo or voice print, but this is no longer secure.
Perhaps local vaults with a fingerprint scanner were not such a bad idea?
20% over 7 years is not bad going given world economies of late. Our company-sponsored health insurance (I live in a country where that’s a privilege, not a necessity) has apparently increased 300% in 9 years.
And we have all reported this to the vendor, haven’t we? Haven’t we?
I have a true story of this kind of chicanery, perpetrated by our national government. They came up with a “tax rebate scheme” that neither I, nor our company accountant could work out. But… official documentation that our IT consultants were provided with to update our payroll software showed that “3 tax brackets plus rebates” was actually implemented as…. 4 tax brackets.
Always. 
They’re good about taking the report and asking for clarification. Doesn’t mean I necessarily get my way, sadly.
I’m concerned too. Especially after reading stories like the one about a Disney employee who downloaded an “AI Tool” from GitHub that contained a Trojan.
I won’t pretend that I’m a security expert, but major companies like IBM are 1PW customers . And AWS and 1PW work together to secure AWS clients. Details like these seem like a pretty good endorsement, IMO.
How 1Password is designed to keep your data safe, even in the event of a breach | 1Password
I think that where we are at now, this seems positive. My concern is that AI tools used to circumvent security is a real threat. Most software has some vulnerabilities. Bad actors as well as good actors now have tools to discover these. The question is whether monolith companies can fix them fast enough before the bad actors are in?
I’m moving away from 1P as in the end I cannot risk my data being compromised. This risk grows day by day with AI advancements. I prefer a local on device solution even though it may add more friction.
I wonder if AI has inadvertently made the digital space unsafe for things we’ve long used it for to keep safe?
Due to 1Password’s location and architecture, the most significant threat is Canada forcing them to secretly exfiltrate password-key pairs. I feel comfortable betting on that not happening.
Where are you moving too? Thank you
AI is just a random text generator, using statistics about patterns.
If your 1Password (online) vault password is unique (not a frequently used pattern) I don’t think there’s much to fear from AI (for this particular aspect)?
It’s also a whole category of apps, many of which are not distributed through a traditional App Store or by an otherwise trusted vendor.
We’ve seen how that works.
And random text generators are substantially better at scamming people than non-native speakers of a language.
There are lots of vectors in play, either aided by the hype around AI or facilitated by AI itself.
Then you have nothing to worry about, except losing your secret key or forgetting your password. 1Password cannot decrypt your vault.
I’ve not decided. I’m still weighing up the options. I might just print them all out and and hide them under the carpet 
My big concern are passkeys I’ve set up. I may get a yubikey to cover those.
One thing I’ve played with on my Mac is username/password in Passwords, and 2FE (SMS/OTP/Passkeys) on a separate device. It got old very fast because I clear my browser cache after each session but YMMV.
Keep in mind that the single most popular way to steal passwords is through phishing and social engineering. So, IMO, any password manager that will not autofill your credentials, if the url is not identical to the correct one, will beat your list under the carpet every time. 
do you think the cost of those unnecessary servers has not increased? stop your white knighting please… the squeezing is going to continue…
Yep—to be clear, I meant if a security letter compelled them to change how the software worked, so e.g. setting up a new device would transmit the secret key. That would be a crazy scandal.
This is an interesting article about the topic.
Although the study focused primarily on Bitwarden, Dashlane and LastPass the researchers also examined 1Password and identified that it is susceptible to similar types of vulnerabilities. This isn’t a “bug”… it’s a trade-off between cloud convenience and absolute security. Meanwhile they told us that server vaults are so much more secure than private vaults.
This is the issue: it is not truly random. It is a German article, but absolutely worth your time if you are able to understand German or if you are willing to have it translated:
The essence: Using LLMs to generate passwords is a bad idea by design.
The problem is deeply rooted in the architecture of every language model. LLMs work by predicting the most probable next token based on their training data. This is precisely what makes them so useful: they produce plausible, meaningful texts.
But for passwords, this is disastrous. Secure passwords need the exact opposite: true randomness, where each character is chosen with exactly the same probability, completely independent of the previous one. Technically, this is called CSPRNG – Cryptographically Secure Pseudorandom Number Generator. LLMs simply do not have this.
The generation of passwords should be done by true cryptographic random number generators only. AI only does make it worse.
An article in English about the issue:
I’m trialing Strongbox local vaults at the moment. Strongbox can export my database to a usb attached to the iPhone.
As suspected the article highlights the issue with having your database on a server and that zero-knowledge is at best a marketing term. This was a surprising comment from 1Password in the article:
At present there’s no practical method for a user to verify the public key they’re encrypting data to belongs to their intended recipient. As a consequence it would be possible for a malicious or compromised 1Password server to provide dishonest public keys to the user, and run a successful attack. Under such an attack, it would be possible for the 1Password server to acquire vault encryption keys with little ability for users to detect or prevent it.
Some will no doubt argue that this is unlikely, but you need to remember that we have state sponsored actors and AI collectives trying to access password managers. 1Password is no doubt a lucrative target.
The article also highlighted that the greatest weak-point in password managers are the sharing options.
I’ve decided to trial using Strongbox and remove my passkeys and replace them with a Yubikey. I have two keys with the same key so if one is lost I can still access my data. I’m trying to do a couple of things here. Firstly reduce my vector of attack. The database is on my phone and on my macbook pro. You have to have physical access or hack my specific macbook pro/iphone to get at the database. Secondly, I’m removing the digital reliance and introducing a physical passkey. If someone manages to get my password database from my phone or macbook pro they still need the physical yubikey. For one individual this is more likely too much effort for a bad actor.
This doesn’t reduce the risk of phishing or someone duping me into giving my secure data, or even coercing with the threat of violence, but it does close the door to what I see as an increasing risk of retaining critical information in a digital space that is becoming less secure by the minute. We live in an age where face and voice recognition are not longer safe as a single point of authentication. Ironicallty fingerprints are far better.
Why all the effort? If someone still a company’s passwords they are insured. If someone steals my personal critical data it might lead to financial ruin or at the very least cause immense problems with services causing untold personal damage.
Unlikely yes, impossible no, IMO. But, as I understand, an “impossible” breach could possibly allow an attacker to acquire the encrypted blob containing my vault. As well as the 15 million+ other blobs containing other vaults.
Should this occur I can only hope mine is not the first one they attempt to crack.
Bottom line. Everyone has to make a decision to use a password manager, then choose the one they like best.
And with that, I have nothing else to say on the subject. Which I’m sure pleases many/all of you.