classic extensions questions

1pwuser31547

Hi.
I could not find the classic extensions directly on the Chrome web store extensions page when doing a search multiple times for "1 password".
I was trying to install the classic extension on a new Chrome profile.
I previously did not encounter this when searching for the “classic” extension.
Why does searching the web store not yield the classic extension but only the purely web based extension?

This gives me the impression that you are discouraging people from using the classic extension.
Do you eventually plan to deprecate native apps and their extensions like some other password managers have already done?

Is this new extension the previous 1 password X?

I was able to find the link from an older Chrome profile where I had the classic extension previously installed.
Eventually I did find the link also on your website.

Thanks

1pwuser31547

Ok, I see the discussion now "Why am I now on 'new' 1Pass extension and not classic?"
(I didn't know there was a separate "1 password in the browser forum")

@ag_ana "For clarification, the classic extension is still supported. It is not receiving new updates, which is a different thing, but it is certainly still supported"

It is very disappointing to read that a critical piece of software will no longer be receiving updates.
I use local vaults in addition to account vaults. So learning that the only extension that fills credentials from local vaults will no longer be supported is very concerning to me.

ag_yaron

Hey @1pwuser31547 ,

1Password in the browser (previously known as 1Password X) is definitely what we're pushing towards, as it provides a much better and easier autofilling experience.
1Password Classic's download link can be found on our downloads page, as you've already found, but indeed we're encouraging users to go with 1Password in the browser.

We're planning on integrating 1Password in the browser with the desktop app, which will allow it to unlock alongside the desktop app and remain unlocked even if you close the browser, and also use Touch ID/Windows Hello to unlock it, just like 1Password Classic works (only better).

I do not know the long term plans and if/when 1Password Classic will be deprecated, but for now, it is definitely supported and you can use it just as you did before. :chuffed:

1pwuser31547

Hi @Yaron

1. Will it offline unlock, like the app and so only need MP and not secret key (and 2FA)?
2. Will it Autofill credentials from local as well as online vaults?

Thanks

ag_yaron

Hey @1pwuser31547 ,

1. Yes. 1Password in the browser stores a cached copy of your items so you can access it without requiring an internet connection. It will remember your Secret Key. 2FA is only required once to authenticate a device/browser. Once it is authenticated, 2FA will not be required again.

2. No. Local vaults will not be available in 1Password in the browser as it reads and writes data directly from your 1Password.com account and not from the desktop app. The integration feature we're working on is not for sharing data between the two, but to share the lock state and Touch ID/Windows Hello access.

1pwuser31547

This is all true cross platform?

ag_yaron

Yes, this is true for all desktop platforms (Windows/Mac/Linux).
Mobile/Tablet platforms utilize the 1Password native app which integrates into the OS itself and do not have/need a separate browser extension.

1pwuser31547

Thanks for the info.
It’s too bad (for me at least) that there won’t be support for local vaults with the new extension.

ag_yaron

If you keep local vaults due to security concerns, I'll be more than happy to elaborate and demonstrate how your vaults are secured on our servers.

In case you keep local vaults for other reasons unrelated to security, let me know what they are and I'll inform you if there are other solutions/ways to handle the situation :)

1pwuser31547

I can control where and how I store local vaults by backups. I can’t back up online vaults myself (I can if I copy them to local vaults but that’s too clunky).
Travel mode is all or none- not device specific.

I’ve read your white paper (a few times) - it’s more comprehensive than any other password manager WP that I’ve read- much appreciated.
You have a very secure product but no doubt there’s a higher security margin for offline data storage.

ag_yaron

I appreciate you reading our white paper @1pwuser31547 ! That's great to hear.

Our apps always keep a local copy of your vaults and items so it is always available to you, even if you are offline (or if we are for some reason). You can basically back up your entire 1Password's supporting folder manually if you'd like to, but that is a bit redundant if you have a local copy of your database alongside a copy on our servers.

As for security, the Secret Key that is added to your Master Password encrypts your data on our servers in a manner that makes it virtually impossible to crack by anyone. We also do not have access or knowledge of your Secret Key and Master Password, so we can't access your data as well. That has always been our way of doing business - we can't lose what we don't have.
Even if we do experience a breach, the attacker cannot do anything with the encrypted data, so in a way, vaults that are stored on our servers are better encrypted (Secret key + Master Password) than local vaults on your computer (Master Password only).

The security margin for offline data storage comes from the fact there's just smaller odds for someone to attack your device directly compared to the amount of attack attempts our servers deal with. So much is true. But again - if such an attack is successful, we made sure the data on our servers is unreadable and unusable to anyone and everyone except for the user who has the combination of Master Password and Secret Key to said data. :chuffed:

1pwuser31547

Thank you @yaron

It would be better if there were simply an option to back up all vaults, just like there exists for the local ones, rather than hunting for the local cache.

Of course, by keeping data local only, you remove potential access to it and so undeniably it is the most conservative, the most secure (and least convenient) option.

I chose 1P because of the option for local and on-line data storage. I believe it's one of the most secure commercial password managers and I really find this forum to have great value.

However, it's still disappointing to see how 1P appears to be moving away from fully supporting local vaults.

Historically browser extensions have been the source of most of the exploits, real or potential, of password mangers. So by no longer updating them for local vaults is very concerning to me.

ag_yaron

I can definitely see where you're coming from @1pwuser31547 , and appreciate your feedback and concerns here.

I know there has been some talks about building a backup and restore tool that will back up online vaults locally, but it is not available yet. Hopefully it will be sometime in the near future.

Of course, by keeping data local only, you remove potential access to it and so undeniably it is the most conservative, the most secure (and least convenient) option.

That's true, but here comes the part where a major distinction needs to happen. If it is online, there is a potential for someone accessing the encrypted data - yes. However, there is zero chance someone can decrypt it and actually get something valuable out of it. This distinction was very important to me before I signed up for a 1Password.com account. I really liked my local vaults but as soon as that hit me - I was sold (and am an encryption enthusiast ever since :chuffed: ).

I do understand your "Better safe than sorry" choices, and I'm ok with them as long as I know you have full understanding of how things work and why they work like that. I support you for it :+1:

Extensions are indeed the source of most exploits, but the vast majority of instances occur because the extension itself is malicious/fake.
Browsers are quite strict when it comes to extensions, running them in separate sandboxed environment etc, and we ourselves added a bunch of security checks and methods: https://support.1password.com/1password-browser-security/

Thank you kindly for this discussion. It is always good to hear the other side of the coin from someone who knows the subject well.

Mirpurlady

I have 1Password Classic (6). I don't remember ever getting a Secret Key. How do I get one? I see I need one to install a new Firefox browser extension.

ag_tommy

@Mirpurlady

A Secret Key is only for users using 1Password.com for syncing. It sounds like you may be looking for the classic extension. I would recommend looking at one of our membership options which includes the latest version of 1Password provided your system can make use of it.

About 1Password membership

Get the 1Password classic extension

Mirpurlady

I can download the extension, but when I try to use it, it asks for a secret key. My understanding is that people using Classic don't have a secret key. So what is the point of downloading a Classic extension if it asks for something not in Classic? Or how do I get this key?

ag_yaron

Hey @Mirpurlady ,

Only our newer 1Password extension asks for a Secret Key.
The 1Password Classic extension does not ask for a Secret Key, so please remove whichever extension you currently have installed in your browser and install the Classic extension instead from the link that ag_tommy provided: https://support.1password.com/cs/1password-classic-extension/

Mirpurlady

I deleted the old extension and added a new one from your link, but it says,
There is no application set to open the document “1Password-4.7.5.90.xpi” If I look for Firefox, it is grayed out and unselectable

ag_ana

@Mirpurlady:

Can you try dragging and dropping the .xpi file directly over an open Firefox window?