I can't comment on the defensive part, but text can often be harder to parse in conversation so perhaps it was that? I generally find our support team to be pretty understanding but I am sorry if our support team didn't properly handle your concerns and feedback.
Feature parity is a tricky one. The Mac (and since it's shared code in a lot of ways, the iOS app) have been around a lot longer. Dating back to just a bit after I started here 8 years ago we started work on 1Password 4 for Mac and iOS.
The Windows app was rebooted completely a few years back and has been playing catch up since.
Feature parity is the ideal, but it isn't something that is going to happen overnight and we're still trying to do a variety of things to make that happen. But without slowing down our Mac team the Windows app will never really reach feature parity. With that in mind I know our Windows team really wants to try to be a lot closer and they're working hard to do it, but we're all sorry it hasn't moved faster than we'd all like.
If you have specific feedback feel free to write into our support and mention me (Kyle) and that your support request be answered by me. Please include a link to this thread just for reference and I'll make sure to look into all of your comments and concerns.
Again, very sorry we haven't met your expectations. Know that our expectations haven't been met either and that we're working hard to try to give everyone what they want on our Windows application.
We can't be the tool for everyone and we're always the first to recognize bugs exist. Unfortunately we also aren't able to fix them all just like I'm sure most people around here have backlogged bugs in the applications they work on. But we do try to prioritize based on severity and how many people are impacted.
I do appreciate the kind words though. We're not perfect, never will be, but we can sure try our best and I think that's all anyone really wants out of themselves.
If you ever run into issues feel free to reach out as well. Happy to help however I can!
Any reason why you'd say unfortunately there? I see it as a pretty big perk rather than an unfortunately. But I would also like to understand a bit more so I can pass along any necessary feedback to our team.
Not the OP, but I dropped 1Password when it became clear you're forcing folks to cloud storage. I was sort of hoping the carefully chosen weasel-words about that used at the time meant you'd reconsider if enough of us made noise, but later releases made it clear where you're headed.
It bummed me out - I really like 1pw. And I still don't have my password situation back to the same level of ease-of-use yet, but I switched to control the timing. Storing my password DB on other people's computers is simply not going to happen.
The only reason I ever got onto 1Password in the first place was because I didn't have to use any cloud storage, and could use wifi sync between my devices.
I was extremely disappointed as that started to change. It was an absolute nightmare having to retrain all family members in the nuanced differences in how Bitwarden works compared to 1Password. I hope I don't end up having to eat that cost a second time.
It seems really self-centered to retrain non-technical family on new software to satisfy your own philosophical needs that they may not share.
There is nothing about “being a cloud service” that makes 1Password unusable for your family other than your own objections. On the contrary, it probably protects your family against their own incompetence compared to messing with local files, or depending on you to run a server for them (what happens if you’re hit by a bus?)
Obviously that doesn’t mean that Bitwarden isn’t a superior solution, but that’s not why you switched them over.
Presumably they 1) haven't enslaved their family and 2) aren't charging them for tech support
If 1) is true then the family doesn't have to do what they say. They choose to do what they say because they value their technical expertise. Part of which is a preference for non-cloud solutions. That they don't share it seems irrelevant if they've already decided oarsinsync knows better. If they're like the average person then they probably don't value any password manager much at all beyond oarsinsync saying to use one.
If 2) is true then it's generally accepted for the free help giver to make decisions that make their life easier that they might otherwise not for a paid client. Your chef dad doesn't go to the same effort to plate food at home as they do at work. Your mechanic brother might pop a beer and ask you to hold the light while they fix something wrong with your motor. And yeah, the family computer nerd will put the free help receivers on to the same software they use so they're familiar with any problems that might occur. If oursinsync moves over to bitwarden themselves but leaves their family on 1Password and something goes wrong with 1Password in the future, what is the non self-centered move? Are they stuck relearning whatever changes 1Password has made since then? Should they refer their family to customer service?
What a weird, accusatory, windmill-tilting comment.
to satisfy your own philosophical needs that they may not share
They are, presumably, adults who could reject the suggestion to change if they had strong feelings about it.
but that’s not why you switched them over
If you think cloud services are bad, then Bitwarden not using cloud services is what makes it a superior solution, and then would be why you switched them over.
There is nothing about “being a cloud service” that makes 1Password unusable for your family other than your own objections.
But you could say that about every tech decision every tech person makes on behalf of other people. 2015 LastPass was hacked and user details stolen, 2017 OneLogin was hacked and they accessed "user data, apps and various types of keys" and they "cannot rule out the possibility that the threat actor also obtained the ability to decrypt data"; "I don't trust (or don't want to have to trust) cloud services" is a reasonable choice to make.
> There is nothing about “being a cloud service” that makes 1Password unusable
As the meme goes, the cloud is just somebody else's computer.
> what happens if you’re hit by a bus?
I've already thought about this, and there are dead man's handles already in place to handover control to a person I trust, who is also a user of some of my hosted services (although not password management, because they also choose to host their own).
> It seems really self-centered to retrain non-technical family on new software to satisfy your own philosophical needs that they may not share.
They are welcome to use whatever they want. None of them think password managers (or backups!) are things that are worth paying for, so I pay for and support my chosen solutions. I don't have the time or interest in supporting multiple products for people who don't value any of the solutions in the first place, so I do the best I can to ensure they have something.
I won't pretend that we're the password manager for everyone. If we're not the right one for you then hopefully one of the dozens of others out there fit the bill.
I appreciate you taking the time to respond and let me know your opinion on this though. Thanks!
We still provide local vaults, in fact you can use them via a license (that we still sell) AND you can use them with a subscription.
Want to buy a license?
On the Mac app for instance, open it on a fresh installation. Goto the welcome screen that pops up on first launch, from the list of options choose the "Create a new Local Vault" option in the list. This will take you down the path of buying a license.
Or if you sign up for a subscription, goto advanced options and enable the option to create local vaults. You can sync these to Dropbox or iCloud if you wish, same as you always have been.
There's similar options for Windows. Though it only includes Dropbox syncing and not iCloud.
Sorry to say I don't think any words I'm going to say will help here. You'll just have to keep an eye on what we do I guess.
I've said elsewhere but we won't pretend to be the single password manager that works for everyone and I'm sorry if we end up being one that doesn't work for you. Hopefully one of the dozens of others out there work for you if we don't though.
Thanks for the feedback though! I certainly appreciate it and will pass along the information I've gleaned from this thread to the various people that need to see them.
From running a service, I assume the calculation they did was simply "number of people that whine to us because they lost their self-hosted files > number of people that whine to us because we don't allow them to self-host their files".
I think this is probably the better way to look at it.
We seen a lot more "I can't access my data anymore" emails before we had our own service. Those seem to have dropped a lot, at least based on my own experience when doing support, since introducing 1Password.com.
At the end of the day, our 1Password.com solution is also more secure thanks to the Secret Key being used as well. Our local vaults are certainly secure, but 1Password.com is even more secure.
No matter what we do we will have people who don't agree with us. The best answer we can have is be able to logically explain why we have chosen to do something the way we have. Whether the user agrees or not is up to them, but we try to be able to at least explain why we chose to go a direction and hope that the explanation makes the most sense for the most people. We don't always get it right, but we certainly try our best.
Yeah, that makes sense, though I might have kept the self-hosting feature hidden behind a wall of "you're REALLY not going to get ANY support for this" text. Then again, the maintenance might not even be worth it.
We still sell licenses, it's not super easy to find but it's there. Open the app on a new machine, on the welcome screen of options there's a "Create A New Local Vault" option, which takes you down the path of purchasing a license if one doesn't already exist.
Those on subscriptions can also still create local vaults as well. You'd have a subscription plus the option of local vaults.
So options haven't disappeared, they're all there.
That said, providing an option without support is kind of bad form. We pride ourselves on providing the best technical support we can for our users. Selling a license and then not supporting it would just not be within what we consider good business or, well, being a good developer.
A situation where the remote datastore is compromised and now with it, all of my passwords.
Or if I was to buy into 1Password's worldview, all of my credit cards, bank accounts, ID cards, everything I want to keep a secure digital copy of, is at risk.
Having a sense of control is a huge part of the way we think. Despite the greater risk of death in a car compared to an aeroplane, there's less concerns about car travel because there's a sense of control. Similarly, having the data under my control may be less secure, but that's still within my control rather than dependent on someone else doing the right thing.
I think you may want to take a closer look at how 1Password works. I'll give a quick rundown here, but our security white paper goes into much greater detail: https://1pw.ca/whitepaper
Your data is encrypted locally on your devices, it is never available in a decrypted form on any of our servers. A compromise of our servers would result in the attacker getting gibberish (encrypted data).
To decrypt that data the attacker will need both your Master Password and your Secret Key. A Secret Key is a 128-bit key generated locally on your device, your Master Password is a passphrase set by you. These two keys are combined and, to simplify greatly, used to decrypt your data.
The only way an attacker is going to acquire your Master Password and Secret Key are from your devices. Those are the only places those keys really exist.
Guessing both the Secret Key and a strong Master Password are effectively going to cost such a significant amount of money, or due to time and processing constraints, be infeasible.
An attack would have to be highly targeted. In other words, you would have to be a specific target to make any attack be worthwhile. If you believe you are likely to be the target of such a very specific attack you probably have a team of security personnel working for you who could better advise you than I could.
I'd really suggest looking into how we do things. The only feasible attack on your data would be through your devices, and any other password manager that stores data locally on your devices will be impacted the same exact way in this case.
Hope that helps but if you have questions please let me know and I'll do my best to help get you answers.
While what you are saying seems technically sound it implies that you do everything right when generating Secret Key. Let's imagine you have a bug and it fills Secret Key with zeros (or some fixed sequence) and it becomes known after quite some time, and in between your server is compromised. How much easier it makes for an attacker to decrypt data en masse? I would assume some people may not like that such attack vector even exists.
We can talk all day about bugs and mistakes. They're a fact of life and we are human.
It's also important to remember that your Master Password still plays a role and YOU provide that. If you use a weak Master Password, and we somehow introduced a bug that set the Secret Key to 0's, then your Master Password would be the only thing protecting you. In an ideal world you'd continue to use a strong Master Password.
Thank you for your replies and giving a look into how 1Password handles security.
I've been looking to switch for a while now, as the UI of 1Password looks superior to LastPass and my wife needs a strong UI because else she won't understand her password manager :).
Few questions though;
- Will you add support for the newer 2FA options anytime soon? I'd love to use a recent Yubikey when providing the second factor; the FIDO2 keys and NFC on iPhone.
- Is there any roadmap on when the newer 1Password X becomes the default plugin for use in browsers? As a Linux user I believe my options to use 1Password are somewhat limited.
> Will you add support for the newer 2FA options anytime soon?
We've added Yubikey support for the web client and for 1Password for iOS.
We don't comment on future plans because they could change, but we would like to at least see feature parity here in all of the clients, but I can't comment on when that may happen.
2FA doesn't add the same level of security to 1Password as it may with other services so we need to be mindful of bordering into security theater.
> Is there any roadmap on when the newer 1Password X becomes the default plugin for use in browsers? As a Linux user I believe my options to use 1Password are somewhat limited.
I believe that's the direction we're heading but as I mentioned we don't generally comment on specifics. We've done the whole comment publicly and say "yes, it's coming soon" enough times and then had to backtrack and say "sorry, no can do" that we just don't say anything specific anymore for fear of upsetting users.
We always tell people buy for what the product is now, not what it may be in the future. And outlining future plans gets people to buy based on what it may be in the future, and those simply aren't promises we can always keep. So we do the typical under promise, over deliver when it comes to talking about future plans.
Hopefully this doesn't come across as pushing your questions off, that's not at all what I'm intending but clearer answers just aren't something we can comment on at this time.
If you do have any questions moving over though feel free to get in touch via our support page and I'll do my best to get you answers.
"To decrypt that data the attacker will need both your Master Password and your Secret Key. A Secret Key is a 128-bit key generated locally on your device, your Master Password is a passphrase set by you. These two keys are combined and, to simplify greatly, used to decrypt your data."
I'm curious how syncing works, specifically in regards to the Secret Key. Seemingly, to me, if the process works as described; I'd need to copy that Secret Key to each device I want to sync, otherwise there'd be no way to decrypt the data on the new device.
You are correct, you'd need to provide the key to each device.
To sign in on a new device you need:
1. Your email
2. Master Password
3. Secret Key
4. The URL for the server your data resides on
When signing in on a new device we offer a variety of ways to help you do this.
1. Your Emergency Kit, a PDF document, has a QR code that can be scanned on most clients.
2. There's also ways to show the same QR code, or a setup code, within the apps to scan on screen
3. For Apple products we do have a method that saves the Secret Key to the Keychain and can sync via iCloud to help facilitate adding the account to new devices
4. You can always do it manually as well
Hope that helps get a better idea of what has to be done there.
Replying to this as I can't reply to the other child comment:
The secret key is emailed given to you when you enroll and is used, frequently, every time you enroll a new device. 1Password would have to screw up catastrophically to just not use it.
Obviously they _could_ screw up catastrophically, but if you don't trust them to operate their service with a basic level of competence you probably shouldn't be using them as a password manager to begin with.
The comment above says Secret Key is generated on my device, how can it be emailed anywhere? I don't quite understand how one can enroll other devices with local Secret Key, so I assume Secret Key has to leave my device and travel over the wire. Which raises even more questions, but even if it's not the way it's generated makes a big difference.
It is generated locally as I indicated, and as outlined in our white paper.
Where some users get confused, and perhaps rightfully, is that when you sign in you can generate a PDF called an Emergency Kit, that contains the Secret Key. This PDF is generated entirely in JS within the browser. It is not generated on our servers and then downloaded. Some users do get confused about that.
Our web client is effectively a client running in the browser, it's all local and communicates with our servers the same way that a native app would.
If you have the DB, then bugs, malware, algorithm weaknesses, insider attacks on the code or operational failures on my part could compromise all my stored secrets.
I'm souring on 1password, for both personal and work (we have it company-wide), based on unexpected pricing and licensing model changes. I really liked being able to buy a version _and have it keep working_. I could get it set up for my parents and nothing significant changed because it wasn't a "SaaS" product. I don't need a subscription for a password manager.
So we're ditching 1password for our family, and are likely to do so for work, too.
Same. I'm holding out with a regular licence until they force me off but it's clear that they will, and that they'll probably use the mobile apps as the vehicle.
I've paid for every upgrade for myself and my family so I'm aggregately paying _more_ than I would have paid for the cloud service. But I don't want a cloud service
I tried setting my parents up with 1Password. I realized that for someone without decent technical understanding it’s easy to get into weird states. E.g new account creation has a lot more friction than I would hope for. I don’t understand why the “generate password” button is divorced from the flow of making a new login. This was before 1Pass X so maybe things have changed, but my parents were so frustrated I doubt I’ll get them to try it again for years.
My advice: if you don’t do this already take some time to get some older folk without a lot of technical experience using 1Pass effectively (real-life usecases too like shared vaults). Take their feedback seriously because solving for them will reduce mental overhead for more technical users too.
I’ll second the 50+ yr olduser testing request. I’m a very satisfied 1Password user/subscriber. It felt very intuitive to me until I setup my in-laws and other consulting clients who are small business owners.
The biggest pain point is creating a new login on iOS in safari. I understand the iOS limitations on browser hooks, but walking a user through creating a new login on iOS over the phone was a test of supernatural patience.
If they create the new login in the app instead of safari then they have to type a URL (or it won’t show up in safari) which for an older person who doesn’t really understand websites have addresses is like asking them to calculate the shortest superpermutation of n=7 “real quick”.
I believe the family plan for 1Password is fantastic. And a bunch of us have/will signup and put our aging parents on it. So a little user testing by older people where you are trying to help them over the phone would go a long way probably.
Unfortunately, the iOS side is difficult. We've done the best we can there given the limitations and our imagination at this time. It's possible we drum up a better solution in the future but we haven't had any major breakthroughs in how best to present the UI for this.
We have filed feature requests with Apple to try to get better mechanisms for making this whole process better though. Hopefully we'll see improvements down the road that help us make a better user experience.
Re: 2. It's not just subscription. Download the app (Mac or Windows) and in the options choose to create a new local vault. You'll be presented with a dialog to buy a license if you don't already have one.
I get the complaints about subscriptions, but there are certainly pieces of software I am willing to pay a subscription for. One that is actively improved, secured, and is used throughout my day is one of them. Your opinion on this may be different of course.
Hey Kyle! Been a long time paying user. 1Password has helped me help my family use better passwords. We all have local vaults, but I often recommend and help onboard companies I consult with to the hosted service. Thanks for building an awesome app!
Thanks for the kind words. I'll make sure to pass this along to our team. It's always great when we hear positives. Sometimes the negatives can overwhelm the positive in terms of feedback.
If I can do anything to help you with the consulting side please reach out via our support team and you're welcome to ask for me. If I can't help you then I'll get you in touch with someone that is able to do so.
You can still make backups on all platforms. So it would be a matter of restoring a backup. Typically someone with local vaults also syncs (to either iCloud or Dropbox) so in theory as long as they still have access to that account they can sign in and access their 1Password data. I'd still suggest backups in addition to that, a sync file is constantly changing, and is not an actual backup.
As an ex-1Password user, y'all lost me when you released a new Windows client that didn't support local vaults and let the old client stagnate while pushing everyone to switch to a cloud subscription.
I waited and waited for local vault support to come back and finally migrated to something else. No other password manager is as good as 1Password but stringing that out for so long cost AgileBits my business, forever.
We had a greater need for the 1Password.com support in the Windows client. So when we started our rewrite efforts it focused on that.
In general, we'd agree that it took longer than we wanted, and I'm sorry if that caused you to leave. In the end we were really doing the best we could given the demands we had and the time/resources available to do it. It sounds like in this case it wasn't enough.
If there weren't pieces of software that people were willing to pay a subscription for, then software quality would be horrible. The reason why 1Password is so good is that the developers are paid to work on it, and some business needs (such as having really good quality stuff so you can get recommended to more potential customers, and so that your existing customers don't leave) push you towards higher quality software. When working on OSS for free, the need to survive pushes you to work at a job, and your OSS work is done in your spare time, often to get things you want done, but not to make an amazingly polished and very user-friendly work.
Subscriptions allow developers to keep improving their software. If you just pay for software once and keep using an older version, developers miss out on money that could keep them working and improving things. OSS is great, but money is important for developers to deliver quality and updates.
I don't remember software quality being a ton worse before software subscriptions became common. Operating systems and certain development practices (maybe, less certain about that one) have led to some noticeable improvements, but that mostly happened before the shift.
I really really don't like software subscriptions, but for a password manager there is obvious ongoing work just to keep it functioning.
It's one thing to use a standalone app like MS Money for 20 years with various hacks and compatibility modes to keep it working. Over the time I've used a password manager I've seen OS and browser updates break parts like plugins or syncing. I've transitioned to using passwords more on my phone (and phone APIs have changed).
The major difference you may be overlooking is that now everything is connected and online, and as a result the software we use day-to-day needs much more active maintenance than before.
When you had a computer sitting in your home that connected to the Internet via modem for 2 hours a day, your OS or apps could be riddled with hidden bugs and holes and it didn't matter as much.
Now we are constantly operating in insecure-by-default environments, and (responsible) companies have to spend much more to monitor, improve and maintain their applications over time, as devices change, underlying operating systems change, new threats are detected and published, etc..
You introduced a feature without warning a while ago where 1Password would phone home for icons every time it is run (where previously users had the option of creating their own). When Little Snitch flagged this, I was very concerned that 1Password which I had entrusted with my secrets was phoning home without my consent. It took me a while to assure myself that 1Password was not uploading my data to the cloud. I don't see why a password manager needs to phone headquarters every time it is run. I have since blocked 1Password from phoning home using Little Snitch as a workaround.
You can map things up pretty good here. However, note that Little Snitch may not provide the most accurate domains when it comes to CDN services. So do keep that in mind that it may reverse DNS incorrectly. I believe they document this on their own site as well. There's at least this that I could find:
We went so far as with the Mac application to provide a plist that documents each domain it contacts to give context within Little Snitch, but I suspect you're using 1Password X, which cannot provide the same feature.
There's also an open issue to be able to disable rich icons as a setting there. I was a little unhappy that we didn't provide an option for that feature in 1Password X, and I'll bring up again with that team that they need to provide the checkbox sooner rather than later.
Sorry you got bit by this though and thank you for the feedback!
Not the original poster, but I could think of two possible reasons:
1) As a user, you are providing a lot of trust into a private company to hold some of your most sensitive information.
2) Often, "open alternative" is misinterpreted as free. At the very least, one would need a self-hosted server to gain the same UX 1password provides, which comes with additional overhead (cost and maintenance) for the user.
With our bug bounty program we also state that researchers should not access customer data or interrupt normal operation of the services. If their testing is believed to impede normal operation we can provide separate servers for testing purposes.
We also provide a test account upon which researchers can use if they wish to attempt to modify or read private information. They should stick to that data and I'd encourage other bug bounty programs to do similar.
In my eyes this researcher should've stopped as soon as they started seeing private data and reported it, it sounds as though they continued to read private information well after they realized it was private data they were viewing.
I realize not every bug bounty program plays fair. We look specifically at our bug bounty triage team (via the platform we use) to make sure we are treating researchers fairly and that researchers are obeying the agreed upon rules. They're the neutral third party in our eyes. They keep us honest and researchers honest. At least that's how I approach it all.
That’s cool. It’s so important for bounty programs to have a systematic way to approach awards. The security researcher community overall is very cool, but there are definitely some assholes and bottom feeders out there that can get under your skin and introduce bias in your decisions.
These also have another distinct change beyond simply pricing, they're actually hosted in those regions. So .ca is hosted in Canada and .eu is hosted in the European Union.
Disclosure: I work for 1Password on the security team.
First, lets discuss what the Secret Key actually does. I'm going to simplify this greatly simply because I don't want to end up in the weeds here. But I think it's important to know what it does and why.
When we designed 1Password's online service we knew that our servers would be a big target if it were storing a lot of user data. And we knew, that historically, users used terribly weak passwords. Knowing this we set out to find ways to protect against these issues.
Lets compare to our standalone vaults since it's a comparison with only us and keeps things simple. Assuming an attacker gains access to your local vault they'd have to guess your Master Password.
With 1Password membership accounts you have both a Master Password and the Secret Key. If someone were to gain access to our servers they'd have to guess both your Secret Key and Master Password together (they're combined together, again simplifying, see our white paper for the full technicals here). You can't just guess the Master Password and then the Secret Key or vice versa, you have to have both of them correct.
Say a user uses a terribly weak Master Password, this would be relatively trivial to guess if someone had your encrypted data.
Say our servers are compromised and you used a weak Master Password. The Secret Key (a 128-bit randomly generated key) is going to protect that data because even if the attacker could guess the weak Master Password, the addition of the Secret Key requires that they guess both together, making the weak Master Password not nearly as weak. For those using very strong Master Passwords, the Secret Key strengthens it even further.
With the same idea in mind, breaching our servers to acquire the encrypted data means an attacker acquires nothing but encrypted data and requires guessing the Secret Key and Master Password for every account. This is a significant undertaking and effectively improbable using today's technology.
Hopefully you now see the point of the Secret Key, it's to protect your data locally on our servers. You absolutely shouldn't use a weak Master Password, but the Secret Key protects those that potentially do.
Now, to your other questions. We do have snapshots of the database made daily. We could restore to one of those.
We are also working on (and have partially implemented) a local backup solution. The Mac client creates these backups already for users who are on our memberships (for individual and family accounts only). They are not (yet) documented nor is there a tool that can read them, but they are being made. The plan is to openly document how they're created so that anyone with the technical understanding could create their own tool for reading them. The reader part of it will come in the future, and likely part of our CLI application, though nothing is for certain at this point and subject to change.
This will allow you to have your own backups and they'll be local to you in the event that something goes wrong on our servers.
Hope that gives you some idea of how it all works. If I can answer any other questions, feel free to write in to support+security@1password.com and mention me (Kyle) and this thread (ideally a link to your question so I have context and won't feel like I have to repeat in case I forget what I may have said)
Hey, I am really sorry I didn't see this earlier I have a bad habit of browsing not signed in so I rarely see replies to my comments. I think this was a great answer to my question and I really appreciate you taking the time to write up your explanation for me.
Can you get in touch with us via our contact form (email method) https://support.1password.com/contact-us/ and we'll see what we can do to help you out with that. We were all students at one point in time as well so if we can help you then we'll help.
Just mention my name and this thread in the form. It'll get sent my way.
Note that the browser extension actually does limit your exposure quite a bit. You make trade offs here.
For instance, if you aren't using the browser extensions, how are you getting your password to the browser to sign in? Copying and pasting? It's possible for any app on your system to read the clipboard.
Drag and drop should be a better alternative there, as we now support that in 1Password 7.
The extension though uses either Safari App Extension (for Safari, obviously) or Native Messaging Host (Firefox and Chrome browsers) and aren't susceptible to clipboard type snooping.
The browser extensions also only present items that match the website you're on. This helps a lot in phishing attempts.
So, yea, you could not use the browser extensions but you're going to have to trust that YOU always do the right thing.
Note again that 1Password does not "auto fill" like other password managers, where simply visiting the site fills the data in. You always have to explicitly ask 1Password to fill into the page.
I can't comment on the defensive part, but text can often be harder to parse in conversation so perhaps it was that? I generally find our support team to be pretty understanding but I am sorry if our support team didn't properly handle your concerns and feedback.
Feature parity is a tricky one. The Mac (and since it's shared code in a lot of ways, the iOS app) have been around a lot longer. Dating back to just a bit after I started here 8 years ago we started work on 1Password 4 for Mac and iOS.
The Windows app was rebooted completely a few years back and has been playing catch up since.
Feature parity is the ideal, but it isn't something that is going to happen overnight and we're still trying to do a variety of things to make that happen. But without slowing down our Mac team the Windows app will never really reach feature parity. With that in mind I know our Windows team really wants to try to be a lot closer and they're working hard to do it, but we're all sorry it hasn't moved faster than we'd all like.
If you have specific feedback feel free to write into our support and mention me (Kyle) and that your support request be answered by me. Please include a link to this thread just for reference and I'll make sure to look into all of your comments and concerns.
Again, very sorry we haven't met your expectations. Know that our expectations haven't been met either and that we're working hard to try to give everyone what they want on our Windows application.
Kyle
1Password Security Team