Generally speaking, security solutions have (at least) two goals that are often at odds with each other: (a) Minimize the number of trusted third parties / components, (b) stay out of the way from a usability perspective.
Most negative comments here imply that 1password severely compromised (a), to the point of making it useless, in exchange for incremental-to-zero gains in (b). For most people here, using a third-party sync service is probably more convenient than avoiding whatever mass-market-cloud-thing 1password is trying to move everyone to.
(I haven't used 1password, but am planning to switch to some other password manager, and this article just knocked 1p off my list of candidates).
> For most people here, using a third-party sync service is probably more convenient than avoiding whatever mass-market-cloud-thing 1password is trying to move everyone to.
Using 1Password's service is actually far more convenient. It Just Works™, whereas other solutions like Dropbox are prone to creating conflicts.
TBH I don't know why anyone who was using a third-party sync service like Dropbox would dislike the 1Password sync service (beyond the fact that it's subscription pricing instead of a one-time license fee). It's only the small subset of users who used Wi-Fi sync that seem to have a legitimate complaint here.
> this article just knocked 1p off my list of candidates
Why? Unless you were planning on using Wi-Fi sync, then you shouldn't have a complaint. Tim Bray makes a lot of noise about web sites being insecure, but you don't need to use the web interface for 1Password (well, until today you needed to use it to create new vaults, but 1Password 6.8 can now create cloud vaults directly in the app). And his comment about if you use Dropbox all they have are the encrypted password file applies just as well to AgileBits, because you need the combination of your secret key + account password to decrypt anything, and at least the secret key (and maybe the account password too, not sure) is never sent to AgileBits.
If you're interested, they also have a white paper on their security, which you can find linked at the bottom of https://1password.com/security/.
Given that vaults contain secrets, and data shared with third parties is not secret in any legally compelling way, that effectively neuters the product.
The data isn't shared with AgileBits. They only have the encrypted vaults, they don't have the keys to open them. So it's no more shared with a third party than using Dropbox to sync a local vault is shared with a third party.
