I used to be a 1p fanboy, but the company has really deteriorated from my point of view. Once upon a time, my password data was stored entirely locally in a format that was well-documented and which I could access using tools like openssl. In other words, I could be confident that they really were encrypting my data at rest because I controlled my data and could interact with that encryption myself.<p>In time, they moved to a cloud-driven, subscription-based approach. I found this disconcerting since I could no longer see and control where my data was located or evaluate its encryption myself, but I was impressed enough with 1password's track record to believe that it retained a strong security culture. They began emphasizing their web- and browser-extension-based options more, especially for Linux, for which they did not have a desktop client at the time.<p>Notably absent from this was an export feature. It remained in the Mac desktop app, but was completely missing from 1Password X. I noticed prominent 1password staff apologizing for the apparently unintentional lock-in situation created for some users by adding new platform support without also adding data export for those platforms. They promised it would be addressed soon. It wasn't.<p>Last year, I went to evaluate whether it was even still possible to export passwords from the Mac client. I wanted to know that 1password was still a good tool, because my daughter was turning 10 and it was time to establish strong security habits. I wanted to be sure that what I was recommending still made sense. I was nervous. I had not actively used my Mac in years. I went to use the export feature, and found that it simply did not function. Extremely alarmed that I now had over 1,000 unique passwords stored in a database that I had no functioning means of exporting, I contacted support and outlined my issue and asked how I could get a plaintext copy of each of my passwords.<p>I received a reply from a self-described "Astronomer of Support," who said:<p><pre><code> "Can you please let me know a little more about why you are wanting to export your data? Once I get a better understanding, I would be glad to help further from there! :)"
</code></pre>
I found this very troubling. I had supported 1password for years. I had recommended it to friends and family. I had bought it for some people. In a couple jobs, I required it of my reports. I did this on the belief that 1password had a strong value on privacy and security. I felt extremely foolish. While I had adopted 1password on the grounds that it had a locally-stored vault whose encryption was easy to audit, none of that was true anymore. The export feature I was told would be forthcoming on Linux had not materialized, and the feature on my Mac no longer functioned. 1password support was asking me to explain why I would even want access to my own data by some means other than their application in the first place.<p>I asked the support guy how this would affect his troubleshooting, and he told me he just wanted to understand my use case since plaintext exports are a security hazard. Then he told me to download and run a program to upload a substantial amount of information about my system. There was no question as to whether I was OK with this, or an offer of any alternative.<p>The answer, as it happened, was straightforward: I had an old version of 1password. I don't know why having an out-of-date version stopped data export from functioning, but it did. I was able to troubleshoot that without relying on the lengthy dossier that 1password's diagnostic tool had compiled, and the support guy could have done the same. Had 1password still been a company that valued people's privacy, he probably would have simply asked me to double-check the version number in the very first e-mail, rather than ask me pointed questions about why I wanted my data anyway, or telling me to install new telemetry software and give all this new data over to him.<p>I wrote an email back to 1password support explaining my issues as a long-time customer who strongly values privacy. To their credit, they read and replied to my e-mail, mostly to tell me that they use end-to-end encryption and directing me to their whitepaper. I was offered a free year of service.<p>By then, I'd imported my data to self-hosted Bitwarden, and I've never looked back. And in the year since then, I've only heard more and more negative comments about 1password, a company that was once spoken of very highly in the places I hang out.