Announcing the 1Password command-line tool public beta

Here at AgileBits, we’ve been working hard over the last few months to bring power users, developers, and administrators more powerful ways to interact with 1Password. We’re proud to announce that we have something that fits the bill. It’s called the 1Password command-line tool, and we can’t wait to see what you build with it. Let me take this opportunity to walk you through the exciting potential.

Introducing op

1Password apps are available on just about every platform, but they’ve always had the same dependency: a graphical interface. Now all of 1Password is available with just two characters: op.

The 1Password command-line tool makes your 1Password account accessible entirely from the command line. A simple op signin will securely authenticate you with the 1Password service and give you access to a wide range of capabilities:

Getting usernames and passwords from items:

> op get item OpenProxy | jq '.details.fields[] | select(.designation=="password").value'
“genuine-adopt-pencil-coaster”

Creating new items and vaults:

> op create item login $(cat aws.json | op encode) --title="AWS"
{“uuid”:”5hinhvejl7wtmbeorfts7ho3di”,”vaultUuid”:”i5imjpvdivbsxo56m2ap2n66gy”}

> op create vault devops
{“uuid”:”ny5khay7t3lmhrp4pjsxl4w34q”}

Working with documents:

> op create document ./devops.pdf --vault=devops --tags=architecture
{“uuid”:”i3rsiwjfh7aryvbu5odr4uleki”,”vaultUuid”:”ny5khay7t3lmhrp4pjsxl4w34q”}

If you’re a team administrator, you can also manage other users and shared vaults — all without leaving your terminal:

> op suspend john@acmecorp.com

One of the most frequent requests we receive from 1Password Teams customers is the ability to export the Activity Log. With the Pro plan, op list events makes it easy to ingest activity data into the application of your choosing. Be it Splunk, Kibana, Papertrail, or your own tool, op outputs JSON, so it’s simple to work with.

But we didn’t just build the tool to solve specific requests. It’s flexible enough to handle use cases we haven’t even thought of. The possibilities are endless, and we know you’ll come up with something amazing.

🎶 Rock, robot rock (solid) 🎶

The command structure is similar to tools you already use, providing easy integration with your workflow. Now automated systems can have access to secure credentials without ever storing them in plaintext. Here at AgileBits, for example, we’ve been using op for the last few months as part of our automated build systems. It’s been super useful for fetching secure keys and tokens required for building and deploying 1Password. After a secure op signin, we have a script that fetches the appropriate signing key from a shared vault and automatically signs new builds.

The tool was written from the ground up with the battle-tested Go programming language, the very same we used to build the 1Password service itself. As with every 1Password client, all encryption and decryption is done on your machine locally, ensuring the highest level of security best practices you’ve come to expect from the entire family of 1Password apps.

Get yo’ *NIX on

Our dreams of late have been filled with penguins. Two weeks ago we shared a treat with Linux users, and this week it becomes a feast. You might have already tried 1Password for Linux and Chrome OS, but we know what really makes developers salivate: a CLI. You can download op for macOS, Linux, FreeBSD, OpenBSD, and NetBSD on i386, ARM, and AMD64 architectures. Oh, and our Windows friends can play too!

What’s next?

If you’re as excited as we are about this, here’s everything you need to get started:

We highly value the thoughts of people using the beta in the real world, so we can continue improving the tool for you. As we work toward a stable release and eventually open source, please bear in mind that there may be breaking changes down the line, but we’re more than happy to work with you to resolve any issues. We look forward to working together to create some truly useful and powerful tools, and we can’t do it without you.

Now let’s get ready to 🎶 pipe it, grep it, cat it, sed it 🎶

57 replies
    • Dave Teare
      Dave Teare says:

      It’s awesome hearing your excitement! I’m glad you like what you see. 🙂

      I’m not sure of the intricacies of a launchpad.net package but I’ll be sure to pass along your feedback to those who do. Part of this beta process is to better understand what users like yourself need so please keep the feedback coming! ❤️

      Take care,

      ++dave;

    • Connor Hicks
      Connor Hicks says:

      Thank you! As Dave said, we’re using the public beta period to determine things like this; what our users want. We’re keeping an internal list of these sorts of wants and needs and we’ll use it to help make decisions on features and availability going forward.

      Cheers!
      Connor

  1. Julian
    Julian says:

    This makes me very happy.

    Obviously in the long term a native client for Linux would be highly desirable although a Chrome extension is a great start.

    Your competitor, Enpass, currently provides cross-platform support and they’re entirely free.

    As long as the 1Password CLI works in Linux I’ll be happy for the moment. I don’t like logging in via the 1Password website because of the inherent issues with JavaScript cryptography.

    With the gradual demise of MacOS (see recent usage statistics), Windows and Linux platforms are going to become essential to your business model.

    Whilst I’m on this blog I’d like to see a blog post about he ‘hidden’ features such as /log when somebody gets the time. I’ve yet to come across a one-stop-shop listing all the commands.

    Reply
    • Dave Teare
      Dave Teare says:

      Hi Julian! 👋

      I agree that would be great. It’s certainly something we’d love to see in the future as well. The issue as always is time: we all only have a finite amount of it so we can’t always work on every fun project that we’d like to.

      For now our plan for Linux is a two pronged approach: the CLI Connor discussed in this post and the new Chrome extension for Chrome OS and Linux users. The CLI is for power users needing to script things while the extension makes using 1Password directly within your browser a treat.

      Both of these are in beta testing at the moment so we’ll need a while to complete these (and implement our ideas that won’t make it into the initial release) before we add any additional things to our Linux plate. 🙂

      I hope you join both betas and enjoy 1Password on Linux!

      Take care,

      ++dave;

    • Connor Hicks
      Connor Hicks says:

      Thanks for the great feedback, it’s awesome to see passionate users getting their hands on the tool in real life! As for the logging options, the tool currently only logs barebones error messages, it’s not yet useful for real debugging. For future releases, we’ll be fleshing out the logging to make it more useful, and start documenting the log options. Keep an eye on the release page and the CLI forum for more details going forward.

      FYI all of the commands are documented here: https://support.1password.com/command-line/ and also using the –help flag on any command (top-level or subcommand) while using the tool.

      Cheers!
      Connor

  2. Disgruntled user
    Disgruntled user says:

    A command line version of 1P, but no Chromebook version!?!?!? SMH, this is what happens when you let stoned engineers run the product team.

    Reply
    • Dave Teare
      Dave Teare says:

      Hello Disgruntled user! 👋

      I’m sad to hear you’re in a state of disgruntlement. That’s certainly not a state we want to see you in!

      Thankfully I think I have the perfect cure for you: we have a Chromebook version of 1Password in the works already. Connor linked to it in his post above and we’re in private beta testing already. We’d love to have you join our beta testing family and you can learn more here:

      https://discussions.agilebits.com/discussion/79609/a-present-for-linux-and-chrome-os-users/p1

      With any luck this news will turn your frown upside down. 🙂

      Take care,

      ++dave;

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Hi Justin,

      The command-line tool is a client for the 1Password service. So far our early testers have been using it for managing 1Password Team accounts or scripting the use of secrets within their organizations.

      Though I also use it to get certain things from my family account. I’ve got a script which I use to get my Tarsnap keys from to fetch a latest backup of various servers and systems I manage around the house. (OK, now that I read over that I realize that I am probably not the most typical of Family account users. And if I would put my FreeBSD servers on systems with more reliable power supplies I wouldn’t need to restore from backup to often)

    • John
      John says:

      Ay, and there’s the rub! I knew this sounded too good to be true. Of course it’s not available for standalone, local vault customers. Oh well, can’t really be too upset with something you didn’t have in the first place. Pity, this sounds like a really cool tool and I could definitely see some cool automation benefits to using it. I’ll just go back to the corner with the rest of the local vault plebs. Enjoy your shiny new toys everyone else. :(

      Oh and before you guys inevitably mention it, respectfully no thank you, I do not want to sign up for the subscription service. I prefer local, WLAN synced vaults. And even if I did want it, unfortunately I couldn’t afford it.

    • Dave Teare
      Dave Teare says:

      Hi John,

      You’re right, this CLI is only available to those subscribed to our 1Password service. This CLI (as well as our upcoming present for Chrome OS and Linux users) were made possible by the centralized architecture provided by our new service.

      As for me inevitably mentioning signing up to our subscription service, of course that is an option and a mighty good one at that. But not to worry, we have no intention of forcing you to sign up. It’s up to us to demonstrate to you how much better our hosted system is and get you excited to make the switch. In addition to unlocking features like the CLI tool Connor discussed in this post and the upcoming reimagined Chrome extension, there are other benefits inherent with 1Password Memberships as well, such as item history, data loss protection, seamless sync, etc. This list will continue to grow and I hope that in time we’ll be successful in getting you excited. Until then, you can continue enjoying 1Password as you have been.

      Take care,

      ++dave;

    • Alexis
      Alexis says:

      @Dave Everything you say is true. Although the paid plan/membership also brings a HUGE drawback, at least for me: you f-ing have a copy of my vault! Like… why? There is 0 technical reason why a command line tool wouldn’t be able to connect to the 1password running on my machine, or just reading the vault directly…
      I’m sorry, but you are trying to force us to pay more.
      The reason I chose 1password in the first place:
      – no membership
      – seemingly working on windows (I’m sorry but the old app is just crap, it’s actually got worse…)
      – you don’t have a copy of the data
      – I sync the data however I want

      I guess it’s time for me to look at an alternative…

    • Dave Teare
      Dave Teare says:

      Hi Alexis,

      Thanks for sharing your thoughts with me. I can see where you are coming from and if I were in your shoes I could see myself feeling the same way. Please allow me to share a few thoughts from my perspective and hopefully you’ll be able to continue using 1Password.

      Since we’re having this discussion in the comments section of our CLI announcement it’s fitting to start there. You’re right, our CLI does not support standalone licenses and we have no plans of changing that. The main reason for this is the CLI was primarily created for our 1Password Teams customers. Tasks like exporting activity logs to Splunk, onboarding new users, and suspending users are things needed by our very large teams. Automating tasks like these are simply not needed by individuals.

      Of course that’s not to say there’s no value of a CLI for individuals. While we’re primarily targeting the CLI at teams, things like grabbing a password from an item can be very useful to an individual who’s running their own server. In this scenario, however, the server would need to have access to your data, which would require making a connection to another server to grab the information. We designed our server APIs specifically to make tasks like this very efficient and secure. Attempting to shoehorn these features into three other APIs (CloudKit, Dropbox, and WLAN Sync) is something we’re not interested in doing. Even if there was sufficient demand for this I’m not convinced it’s even possible. Of course we could read the data from the local files directly, but that would greatly curtail the usefulness of this utility, so I don’t want to go that route either.

      As for Windows, I’m not sure if you’ve seen them or not, but we’ve had several posts about 1Password 6 for Windows. The most recent were Kate’s Introducing 1Password 6.6 for Windows and 1Password 6.7 for Windows: A feature buffet and you can see there’s been some really awesome improvements for Windows so far this year. I think you’ll really enjoy it. Now the thing is, for several reasons 1Password 6 for Windows only supports 1Password memberships at this time but we’ve announced already that 1Password 7 for Windows will support standalone licenses. While we’re not ready to announce anything specific on when 1Password 7 will arrive, I will go out on a limb and say you should be able to test drive a beta by the end of this year.

      As I mentioned to John above, we have no intention of forcing you to sign up to our subscription service. It’s up to us to demonstrate to you how much better our hosted system is and get you excited about making the switch. Obviously we’re not there yet for you and that’s okay – users like you are why we continue to support standalone licenses for 1Password and why we are keeping support for them in 1Password 7. Perhaps we’ll succeed in getting you excited in the future or perhaps we won’t – either way I hope you’ll be able to continue using 1Password.

      Take care,

      ++dave;

    • Alexis
      Alexis says:

      @Dave First off thanks for the answer. And don’t get me wrong, I’m excited for most of the new stuff. Except you ask me to host my data. And that’s just not happening :-)
      Something that lets you setup a webdav over ssl or something is cool.

      I trust you guys, don’t get me wrong, but not enough to just have all my passwords (even encrypted etc.) sitting ducks with everybody’s else’s. It just doesn’t make sense from a security standpoint.

      As for the windows version, maybe version 7 will work. But in the meantime, we both know what the other one is worth :-)

    • Kate Sebald
      Kate Sebald says:

      Hey Alexis!

      1Password 4 is a bit polarizing. As a Windows user since forever, I actually rather like it myself. It reminds me of the old days of Windows when I was first learning to use a computer with something more than DOS. Despite its age and the fact that it looks a bit less than pretty, 1Password 4 really is still a very powerful program with a lot of flexibility that I find pretty fun to use (if perhaps not to troubleshoot). Beyond my nostalgic affection for it, though, I still know of quite a few folks who remain in love with 1Password 4 and won’t leave it for anything. Value is in the eye of the beholder and for more folks than you might think, 1Password 4 still holds quite a bit of value.

      That said, one reason we are no longer selling 1Password 4 for Windows is because we are no longer actively developing it. Our view is that one of the things you pay for when you buy a license is ongoing improvements. 1Password 4 will now only continue to receive bug fixes and security updates. With 1Password 7 in the pipes 1Password 4’s days as the latest app for folks using standalone vaults on Windows is coming to an end, so we think our time is better spent getting 1Password 7 ready to go. I’m pretty excited about that. Having everyone using the same new, modernized app no matter where you store your vaults will be awesome and I’m definitely looking forward to hearing your thoughts when it’s ready. 🙂

      I trust you guys, don’t get me wrong, but not enough to just have all my passwords (even encrypted etc.) sitting ducks with everybody’s else’s.

      I’m glad to hear you trust us. One thing I try to stay conscious of is that some folks’ reluctance (or refusal) to try out a 1Password membership has nothing at all to do with us. In reality, “the cloud” is a scary place for some folks and not without reason. As I said in a recent blog post, data breaches are old hat these days. It’s easy for us to say we’re different, but harder for us to do demonstrate that we truly are. I hope by being transparent about our security practices, working to inform folks of how we secure your data, and ensuring you are the only person who ever has the keys to unlock your vault we’re able to show we truly are different from the folks who have leaked your data (and mine, for that matter) over the years. But I do know that hurdle is still pretty tall and it may well take a bit more work to surmount it.

      As Dave mentioned, we love 1Password memberships, but our job is to give you the information you need to make the best decision for you. If a 1Password membership isn’t what’s best for you, standalone vaults are here for you and it’s up to us to prove to you that your data aren’t sitting ducks on our servers so that (maybe) you’ll change your mind one day. We never want to force you to make the switch. We want it to be your choice. 🙂

      I hope, even if you don’t decide to give a membership a try any time soon, you do take the time to learn more about the security features of 1Password memberships, if you’re interested, and to share any feedback you might have about security with us. It’s perhaps a lofty goal, but we hope to one day make our servers a place everyone feels safe storing their encrypted vaults. Maybe that takes a new security feature (or many), maybe it just takes time and maybe, for some, it’s never gonna happen, but dag nabbit, we’re gonna try so your feedback is always appreciated.

      Thank you for taking the time to share your thoughts and for sticking with us for so long. We know you wouldn’t take the time to talk to us about this stuff if you didn’t want us to succeed, so thank you and keep the feedback coming.❤️ 🙂

    • Connor Hicks
      Connor Hicks says:

      I bet if you did a search for “1password-cli” on homebrew, you’d find something our friends over there put together!

      Nothing official from us just yet!

  3. Andy
    Andy says:

    While I’m all for short commands, is it such a great idea to use two letters? To avoid mistakes perhaps a more descriptive name would make sense… then the user is free to alias it to whatever they please. This looks very promising though!

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Hi Andy,

      If you are worried about typos with “op”, then you can alias it to something longer. That way, you only have to be sure to get the command right once (where you define the alias).

      Anyway, have fun with it.

    • Dan
      Dan says:

      I should’ve caught that given the music notes emojis. However, I was thinking of the Bop It toy. “Push it! Pull it! Twist it! Bop it!”

  4. Jean Mertz
    Jean Mertz says:

    This is awesome. We use https://passwordstore.org in combination with 1Password, the former for our automated build scripts and CI, the latter for our employees.

    With this CLI, we can converge everything into 1Password, and use the groups functionality to separate access for specific automated services.

    Truely an awesome addition to an already wonderful suite of tools.

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Thank you so much. We (particularly Connor and Stefan) have put a lot of work into this for exactly the kind of usage you describe.

    • Connor Hicks
      Connor Hicks says:

      Glad to hear you’ll be able to put everything together :) Let us know on Twitter how it turns out!

  5. Greg S
    Greg S says:

    If I have to ask this question I probably shouldn’t be using it, but what are the two macOS versions?

    Secondly, Homebrew is a common way to distribute some things on macOS. Not sure if it’s appropriate for this software. “Homebrew installs the stuff you need that Apple didn’t.” https://brew.sh. Includes updating.

    Although probably easier and better if can be an option in the macOS app installation. Other apps do this. TextMate is one example. https://panic.com/transmit/

    Reply
    • Connor Hicks
      Connor Hicks says:

      Hey there Greg,

      There are macOS builds for 368 (32-bit) and amd64 (64-bit) if you purchased your Mac in the past… 5 years, you’re most likely going to want the amd64 version.

      As for Homebrew, we are not officially supporting it just yet, but a little birdy told me that the folks over a homebrew may have put a cask together on their own :)

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Challenge accepted! (Though not the challenge you expect.) I will see if I can get a Macports port file set up before someone sets up a Homebrew cask. (I think I might be the only Macports user around here. Everyone else uses Homebrew.)

    • Connor Hicks
      Connor Hicks says:

      Nothing official, but a little birdy told me that the fine people over at homebrew have added it already :)

  6. CttW Apps
    CttW Apps says:

    I’d like to create a shell function to serve as a wrapper for op and JSON parson; however, I don’t want to sign in every time the wrapper is called because that would be wasteful. Is there a method to check if the existing OP_SESSION_XXX token is still valid? Ideally “op signin” would check the current token before prompting the user to authenticate and get a new one; however, in my testing I’m able to get a new token with each “signin” request when the 30min expiry for the previous token has not passed. Thanks.

    Reply
    • Connor Hicks
      Connor Hicks says:

      That’s a great question! At the current time, there’s no explicit “check for valid token” command. That is a great idea though, I’ve added it to our feature ideas list. For now, I would suggest running the op get account command as your “check”. If that returns a non-zero exit code, you are not signed in (it’s essentially the only error that command would ever throw). I know it’s not ideal, but hopefully it’ll work for now :) Please head over to the forums if you have any more ideas (it’s the fastest way to get in touch with me and to have longer conversations)

      Cheers!
      Connor

  7. Robert
    Robert says:

    I upgraded to 1Password accounts just for this (although I think it’s not cool that new features are cloud only). Then I realized this does not take advantage of touch ID, forces me to store the secret key on the disk. I really hope you will improve it. Given all this I am back to 1Password standalone version.

    Reply
    • Connor Hicks
      Connor Hicks says:

      Robert,

      Thanks for giving the tool a try, let me see if I can address your concerns. As a CLI, we aren’t really able to take advantage of system functions like TouchID at this time. There are some pretty strict requirements for apps to use it, and unfortunately the CLI won’t qualify. Our Mac app does indeed support it, though!

      As for the secret key, we store it exactly the same way as the other apps, it just happens to be in a more “visible” location (your home directory, rather than a buried directory). We set up very strict UNIX permissions on the ~/.op directory and on the file itself so that no other users on the system (except of course, superusers) can access it.

      I hope that helps! Please feel free to email me (suppost+cli@agilebits.com goes straight to me) if you want to discuss it in more detail, you can also head over to our forums to have a lenthier discussion.

      Cheers,
      Connor

  8. Eleanora
    Eleanora says:

    Unfortunately you need a subscription for it. You guys doing a great job driving your service into the ground and unusable – So Long, and Thanks for All the Fish

    Reply
    • Dave Teare
      Dave Teare says:

      Hi Eleanora,

      You’re right, the command line utility Connor discussed in this post is only available to those subscribed to our 1Password service. This new command line client as well as our upcoming present for Chrome OS and Linux users were made possible by the centralized architecture provided by our new service. Having control of both the client and the server provide us with many new opportunities that we didn’t have available to us before.

      As for the fish, you’re very welcome, but just so you know, there’s no need to say goodbye. As excited as we are about our new subscription service we have no intention of forcing you to sign up. It’s up to us to demonstrate to you how much better our hosted system is and get you excited to make the switch. In addition to unlocking features like the CLI tool Connor discussed in this post and the upcoming reimagined Chrome extension, there are other benefits inherent with 1Password Memberships as well, such as item history, data loss protection, seamless sync, etc. This list will continue to grow and I hope that in time we’ll be successful in getting you excited. Until then, you can continue enjoying 1Password as you have been.

      Take care,

      ++dave;

  9. Joel
    Joel says:

    Sigh.

    Y’all.

    Coming up to mention that I’m yet another user who purchased several versions of 1password over the years and feels betrayed that only the subscription users are capable of using these tools.

    I KNOW you’re a business. I KNOW you need to make money. I KNOW you owe me (and others) jack squat — but, man. This is such a kick to the nuts.

    As a loyal and enthusiastic user, who’s recommended and installed 1p on family/friends’ computers over the years (“Yes, yes I know it’s expensive but it’s totally worth it!”, I would say) I think this is probably the final straw. It’s time to find something else.

    Reply
    • Kate Sebald
      Kate Sebald says:

      Hey Joel! Limiting this to 1Password memberships wasn’t at all meant as a slight to folks who chose standalone vaults. In fact, open source CLI tools already exist for standalone vaults, so we didn’t genuinely see a need there. Instead, most of the tasks we already had in mind when building this were specific to folks using our hosted service as they were the folks asking for it. Stuff like managing vault permissions and exporting certain data maintained server-side just isn’t a concern with standalone vaults. We would never kick you anywhere (we’re lovers, not fighters) and while we might maybe hope that some of the tools that take advantage of our hosted service convince you to give it a try, we still appreciate y’all no matter where you store your vaults.❤️

  10. Donald Nash
    Donald Nash says:

    Two observations: First, wrapping a PowerShell module around op would be awesome for folks like me who use it extensively for automation and orchestration. PowerShell has a built in ability to convert its native objects to/from JSON. Wrapping op shouldn’t be too difficult, but it might be a bit tedious.

    Second, regarding all the heat you’re getting for emphasizing your subscription service, I think maybe you’re not quite grasping the nature of some of the complaints, at least not those I’ve seen in this thread. Some people have security requirements that simply can’t be satisfied with the subscription service, and Dave’s comments about getting people excited about switching to it ignore these concerns. Add to that the fact that so many new features are only available via subscription makes it look like you’re abandoning standalone vaults. I can understand your excitement about the new service and all the things it lets you do, but at some point if you don’t back-fill those new features into standalone vaults then those people are going to have a legitimate concern. And given the paucity of reassurance on this topic, I’d say that they already have a legitimate concern. I know you can’t make promises about what you’ll be doing in the future, but throwing a bone to these folks could go a long way. Something like, “Yes, we plan on adding features x, y, and z to the standalone version, but not features a and b. But we don’t have a time table just yet, and no plan survives first contact with the enemy. Please bear with us,” would go a long way.

    Disclaimer: I’m a subscription user.

    ++Don

    P.S. Dave: quit copying my “++” prefix on your signature. :-) I’ve been using it since 1985 or so. Get off my lawn! :-P

    Reply
    • Kate Sebald
      Kate Sebald says:

      Hey Don! I’ll leave PowerShell to Connor as I think I actually heard the whoosh as the went over my head, but as one of the folks who has spent a lot of time responding to subscription concerns, I did want to jump in with my two cents there. Specific concerns really do vary a lot and that’s one reason I prefer one-on-one conversations with folks about their specific concerns over trying to address a generalized complaint about subscriptions or cloud storage in general. Of course, that is itself kind of general, so let’s talk specifics.😉

      Some people have security requirements that simply can’t be satisfied with the subscription service

      This is a particularly tough one. Some folks do have security requirements we truly can’t meet. Others require we meet certain standards we already do meet or are working towards. Others have no specific security requirements and just hate cloud storage. If someone comes out and tells me that a client of theirs, for example, requires that none of their data be stored on the cloud, then I get that and the conversation can shift to standalone vaults from there. If someone requires that we have a certification we don’t have yet or keep their servers in a specific place we don’t have infrastructure in yet, I get that and can save the pitch for when we can meet those requirements. The tough one is when someone tells me they just generally don’t trust the cloud.

      I recently used the phrase, “data breaches are old hat,” and it’s sad, but true. For that reason, I totally get that the cloud is viewed as a scary place my some. The news doesn’t do the cloud any favors. All the same, though, I always think maybe I can convince these folks. Maybe I can explain how we do things differently by putting security first in all things and being open and transparent about what we do to keep data safe and this will push them to give it a try. Maybe it just takes time to make them comfortable or they have a specific suggestion that might ease their concerns. Maybe new features will tempt them over the edge. Maybe they won’t be convinced at all.

      In these conversations with customers, we try to address specific concerns and recognize what needs to happen to make a 1Password membership not just a viable choice but genuinely the best choice for every customer. This sort of feedback helps us make 1Password better, so I love these conversations. That said, we may sometimes miss a specific underlying concern giving them impression we’re dismissing it, or just fail to recognize someone who simply won’t be convinced. I’ve had to apologize for doing just that myself a few times and I’m sure I’ll miss the mark again, though I try to do better each time. All the same, we really do listen to what folks have to say and I hope our enthusiasm isn’t interpreted as a lack of concern. If anyone does feel their concerns were dismissed, I hope they’ll tell me (or that I’ll realize I’ve goofed), because that just means I’m missing out on a chance to improve 1Password for that person. What makes any given person feel secure varies greatly and the best way to make 1Password.com a safe place for folks to store their data is to figure out what a safe place looks like for everyone.🙂

      the fact that so many new features are only available via subscription makes it look like you’re abandoning standalone vaults.

      I don’t think that’s an unreasonable interpretation, but the reality is that a lot of these new features leverage server infrastructure to work. Take Travel Mode, for example. If you remove data from your device with a standalone vault that isn’t synced, that data is gone. If you want to remove data that is synced, you need to remove it on each device individually or remove it from Dropbox or iCloud entirely (in which case it’s still gone) because there’s no central server tracking whether a vault is safe for travel or not and nothing that’s able to tell all of your devices at once to get rid of vault X. Our hosted service is what makes Travel Mode work as seamlessly as it does. Most of the time, it’s easier to add features to the apps generally than it is to segregate standalone vaults, so if it’s a feature that makes sense for everyone and works the same for everyone, generally everyone will get it.

      at some point if you don’t back-fill those new features into standalone vaults then those people are going to have a legitimate concern.

      I try to treat all concerns as legitimate, whether I agree with them or not. Often, my word is all folks have to go on and that’s a tough spot to be in. Of course, we’re always open to talking about specific features folks would like to use with standalone vaults, whether or not I can make any promises (which I almost always can’t). Since I don’t want anyone to think they’re the enemy (we’re all friends here), I’d instead say that theory and practice are two very different things and rarely do they mirror each other perfectly. As I’ve said before, this often makes talking about the future tough because I don’t want to set unrealistic expectations or make promises I can’t keep, but we do try to share what we can as soon as we can. Still, we do always want to hear from people, no matter what. Whether you see it unfolding or not, y’all really do draw the roadmap with your suggestions and requests so never hold back.🙂

    • Donald Nash
      Donald Nash says:

      Kate,

      I understand that some features like Travel Mode simply don’t work for standalone vaults, and that’s okay (see “features a and b” in my original post). But the new CLI isn’t one of those things. The existence of open source CLI tools for standalone vaults is not an excuse for you not to cover them yourselves. Third party open source tools lack vendor support, and thus are dependent on the vagaries their communities. If the format of your standalone vaults changes, then those tools will quit working until they can be updated. Meanwhile, a vendor supported solution would presumably be updated when the new vault format is released. Also, I would suspect (not having used them), that the inputs, behaviors and outputs of those tools are different than op, which means that higher level tools which need to use both must have two sets of “driver” code rather than a single one.

      I won’t do a case by case analysis of recent features which I think could reasonably support standalone vaults and which couldn’t. The comparison of Travel Mode to the CLI sets the boundaries rather well, and in any case I’m quite sure that you folks have a better handle on it than I do. But the existence of comments like Joel’s would seem to demonstrate a bit of a blind spot on you folks’ part. Many people really, really like standalone vaults. It doesn’t matter if their concerns are legitimate or just an implacable “I hate cloud,” because the result is the same either way. Any time you announce a new feature that only works for the subscription model, you will alienate these people unless you either make it clear that it’ll be implemented for standalone vaults as well, or explain why that simply can’t be done (like your explanation of Travel Mode).

      I’m truly not meaning to bash on you folks. I really like 1P, and its continued success means it will continue to be available to me. More than that, I really like AgileBits as a company and how it is run (ref. Dave’s recent comments about corporate governance). That’s why comments from disgruntled users leaving the platform bother me. I realize there probably aren’t very many such people, but alienating customers enough that they leave is usually not a sound business decision, and that is worrying.

      ++Don

    • Kate Sebald
      Kate Sebald says:

      Hey Don! I’m not intending to imply that the existence of open source tools means that there wouldn’t be advantages to something we developed. I’m a bit biased, of course, but I think our customer support is awesome, so I definitely see advantages to having a tool we support directly beyond what you mentioned. That said, my point is not that folks using standalone vaults don’t have a need, just that no significant need had been communicated to us. As most folks understand, we do have to make choices in prioritizing where to spend resources and time (particularly developers’ time) is one of the most precious resources we have, so we go to great lengths to focus those resources on features that will most benefit the most people.

      As I pointed out at the end of my prior comment, these decisions really are more strongly influenced by what y’all are communicating to us than anything else. If we hear from a small handful of customers that they want feature A, we’ll keep track of it, but feature B that has hundreds of requests is going to get our attention first. Similarly, if the vast majority of requests for feature B come from folks using a 1Password membership, that will play a role in the decision as well. One reason I noted Travel Mode specifically is because that we did anticipate folks using standalone vaults would want it. Unfortunately, it was also an instance where that just couldn’t be done. All the same, we did explain this right away because we anticipated that sort of response. Another “feature” folks using standalone vaults often requested was 1Password 6 for Windows generally. Some folks love 1Password 4, but quite a few have been asking for an upgrade for some time, and so we are incorporating standalone vaults into 1Password 7 for Windows.

      In short, we didn’t anticipate a need with CLI and need to see comments like Joel’s to know it’s there. More than that, we need to see quite a few of them to know that need is far-reaching. For CLI, we didn’t see a need there and didn’t expect one. Time may tell us we’re wrong and, if that does happen, we’ll have to consider the feedback we’ve received and see what the best course of action is for us then.

      Of course, it saddens all of us to see folks leaving, especially folks who have been with us for a long time. We know the choices we make will never be popular with everybody, but that knowledge doesn’t make hearing folks are upset easy or enjoyable. No one sets out to alienate anyone, but any time we make a choice about features or future development, we know some folks are going to be upset regardless of our choice. The best we can ask of ourselves is to make the decisions that ensure we’re spending time and resources in such a way as to make 1Password the best it can be for the most folks possible (and to be agile and adjust when we learn we were wrong).

    • Donald Nash
      Donald Nash says:

      Kate,

      I understand having to prioritize what you’re doing, and I’ve never had a problem with that. That’s why I’ve held my peace as I’ve watched all the new stuff come out that only works for subscribers. You’ve got a new widget, and you want to make good use of it to maximize return on your investment in creating it. That’s a completely reasonable priority. So is oiling the squeaky wheel first.

      My complaint is more about your communication. You did a good job with Travel Mode, explaining up front why it is only available to subscribers. With regard to the CLI, much of the angst could have been avoided with two simple sentences: “The CLI only works for subscription users because that’s where we’ve had feedback that there’s a need. If you use standalone vaults and would prefer a solution from us rather than the open source packages currently available, then please let us know so we can prioritize accordingly.”

      It’s important to keep in mind that some people will feel alienated about the lack of a new feature even if it’s a feature they don’t plan on using. It’s about feeling left out rather than actually being left out. “If they’re not going to implement feature X for standalone vaults, then what else are they not going to give us?” It may not be entirely rational, but it is entirely human. That’s why I’m suggesting more up-front communication when rolling out new features that are limited to only part of your customer base (standalone vs subscriber, Mac vs Windows, whatever), rather than waiting for complaints. That can make the difference between, “Grumble, grumble, time to find a new password manager,” and “Oh, thanks for asking! Yes, I’d love one.”

      ++Don

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Thanks, Don, for helping us understand how we may have been alienating readers. And you are correct that the blog announcement could been drafted in a way that would have gone over better. This was simply an accidental oversight due to where our heads are at.

      It’s no secret that the focus of our development is on our service, and we also (internally at least) talk about op as “the command-line client“. Those two combined meant that for us it went without saying that this is a client for our service. Of course something that goes without saying for us is something that really should be said in the blog post.

      We didn’t do enough here to consider an outsider’s perspective despite writing for outsiders. Some of that I blame on being caught up in our own excitement about what we are doing. I suspect that that is why I missed this when I read over the prepublication draft, and I expect that that is true of everyone else here as well.

      So yes, we could have presented that better and we should have presented that better. Thank you for helping us understand that.

      Cheers,
      -j Chief Defender Against the Dark Arts @ AgileBits

    • Donald Nash
      Donald Nash says:

      Jeff,

      Yes, that’s exactly what I’ve been trying to say. Getting inside someone else’s head is hard. Since I’m one of the “someone else” from your perspective, that puts me on the side that sees this issue more clearly. It’s all just a matter of perspective.

      Just to be clear, I’m not laying blame here. You guys are completely justified in being caught up in the excitement. The new service is a big deal, and I’m not so far removed from app/service development that I don’t get that way myself sometimes. I never for a moment thought that there was any deliberate intent to leave anyone out. That’s part of why I’ve been such a dog with a bone on this. “No, no, no, guys! I know you’re not like that! Make them understand!”

      Thanks for listening.

      ++Don

    • Joel
      Joel says:

      Mr Don – If the whole developer/engineer thing doesn’t work out you should try corporate communications ;).

      On a serious note, thank you for articulating on behalf of those of us that are less adept. Your points are on the money.

    • Donald Nash
      Donald Nash says:

      Corporate communications? Seriously?!? How insulting! :-)

      Seriously, thanks for the praise. What communication skills I have are mostly due to nearly 30 years watching how people fail to communicate. It’s actually rather fascinating when you’re an outside observer, and I’m fortunate that my career has afforded me a great deal of that experience. Being a total language nerd helps, too.

      Kate and Jeffrey: Thanks for taking the time to hear me out. Although I try to keep it reigned in, I have a tendency to get a bit blustery sometimes.

      ++Don

      P.S. Really, I just want that PowerShell module. :-P

  11. John Clendenen
    John Clendenen says:

    CLI brings lots of great automation possibilities but also some risk.

    I would like to be able to:

    Disable CLI use per account and per vault so that only IT can use CLI and so extremely sensitive credentials aren’t available to it.
    Be able to rate-limit queries to make it more difficult to quickly dump whole vaults.
    See a detailed log of access to shared vaults.
    As an admin, send new credentials to a user’s personal vault (without having read access to the vault or the credentials after they’re sent).

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *