Lost 1Password 6 to 7 user
Hello everyone!
I've been a user of 1Password for almost 10 years now. I started with 1Password 4 (I think), and I was using 1Password 6 until some hours ago.
I recently bought a new Mac Mini M1, and while installing apps I tried to download 1Password 6 to discover that 1Password 7 is a whole different thing. (I didn't check for updates too often, no).
I never liked subscription based services, specially web-based ones, so I considered downloading 1Password 6 (I found it on your website). Since 1Password has always been such a great service for me though, I decided to give 1Password 7 a try, but after reading about it and creating and account and so on, I have some questions/doubts:
I used to have my keychain (.agilekeychain file) in Dropbox, which if I'm correct was encrypted locally using AES256, and then synced with Dropbox itself. Now it seems that the passwords are stored in your servers, and although they are also encrypted, I feel this is less secure than having the keychain locally... I assume I'm wrong here, but I can't help but feel that way. What am I missing? Specially since you can access your whole keychain on the website itself...
What happens if some hackers access your database? Because if I understood correctly, if Dropbox data was compromised you were still OK since the file in there was completely AES256 encrypted. Is the same case with you guys?
If I choose to go the my.1password route, I assume I will be ditching Dropbox as a syncing method, right?
The Emergency Kit... I gues that it is supposed to be kept in actual paper somewhere safe, am I right? Just in case I forget my Master Password? I used to keep all my recovery codes for website logins inside 1Password... it's gonna be tough for me to trust a piece of paper, specially since anyone could get all my passwords if they get it.
The Secret Key confuses me. What is it for? I assume it's just another security layer, like 2FA on your cell phone, but still... why the need?
I have a lot more questions that kind of where answered reading blog posts and such, but my main concern is security wise.
Thank you!
1Password Version: 7.8.2
Extension Version: Not Provided
OS Version: macOS Big Sur
Sync Type: ???
Comments
-
Hi @pol!
I used to have my keychain (.agilekeychain file) in Dropbox, which if I'm correct was encrypted locally using AES256, and then synced with Dropbox itself. Now it seems that the passwords are stored in your servers, and although they are also encrypted, I feel this is less secure than having the keychain locally... I assume I'm wrong here, but I can't help but feel that way. What am I missing? Specially since you can access your whole keychain on the website itself...
1Password data is encrypted no matter where you store it. If you store it on 1Password.com however, it is additionally encrypted with your Secret Key for stronger encryption:
About the 1Password security model
What happens if some hackers access your database? Because if I understood correctly, if Dropbox data was compromised you were still OK since the file in there was completely AES256 encrypted. Is the same case with you guys?
Yes, data is still encrypted, so an attacker would not be able to do anything with it unless they had both your Master Password and Secret Key. As I mentioned above, data stored on 1Password.com is encrypted with stronger encryption, since you don't only need your Master Password to decrypt your data, but also your Secret Key.
If I choose to go the my.1password route, I assume I will be ditching Dropbox as a syncing method, right?
Correct.
The Emergency Kit... I gues that it is supposed to be kept in actual paper somewhere safe, am I right? Just in case I forget my Master Password? I used to keep all my recovery codes for website logins inside 1Password... it's gonna be tough for me to trust a piece of paper, specially since anyone could get all my passwords if they get it.
That's right, we recommend to print the document and store it in a safe place for emergency reasons. The information included in your Emergency Kit is not like recovery codes though: if you stored your Secret Key and your Master Password inside 1Password, it would not help you if you lost access to your Master Password or Secret Key, because you would not be able to unlock the app without them in the first place.
The Secret Key confuses me. What is it for? I assume it's just another security layer, like 2FA on your cell phone, but still... why the need?
It's not for 2FA, it's for stronger encryption:
About your Secret Key
0 -
Hello @ag_ana, thanks for the reply!
OK so, in the end, this new method that 1Password 7 uses is more robust and secure than the previous method. I'd like to fully understand the technicalities behind it, but it seems pretty complicated to be honest.
That's right, we recommend to print the document and store it in a safe place for emergency reasons. The information included in your Emergency Kit is not like recovery codes though: if you stored your Secret Key and your Master Password inside 1Password, it would not help you if you lost access to your Master Password or Secret Key, because you would not be able to unlock the app without them in the first place.
I never wrote down my Master Key before, so I won't this time either. I'll use the same, which is very secure and impossible to guess.
The Secret Key on the other hand... seems impossible to remember, so I'll probably have to write it down somewhere... although it feels so insecure to have that data written on a piece of paper. If it ever got "found" by the wrong person, they would have instant access to my passwords. :/By the way, what happens if I forget my Master Password and only have my Secret Key? Am I in trouble?
Thank you!
0 -
@pol:
I'd like to fully understand the technicalities behind it
If you want all the details, I recommend our security design white paper here :+1:
The Secret Key on the other hand... seems impossible to remember, so I'll probably have to write it down somewhere... although it feels so insecure to have that data written on a piece of paper. If it ever got "found" by the wrong person, they would have instant access to my passwords. :/
There are additional ways to get to your Secret Key if you prefer not to have it printed:
Find your Secret Key or Setup Code
Using multiple devices is probably the best way to do this.
By the way, what happens if I forget my Master Password and only have my Secret Key? Am I in trouble?
You must make sure you always know your Master Password, because the Secret Key is not enough to decrypt your data. You would not be able to unlock the 1Password app without your Master Password. For your privacy and security, your Master Password is not stored anywhere, only you know it. This means that it is not possible to recover it unless you are a member of a Families or Business accounts. If you have an Individual account or a standalone license, the only thing you can do is try to recover it:
If you forgot your Master Password or you can’t unlock 1Password
If, on the other hand, you are part of a Families or Business account, you can ask another Admin to recover your account for you:
Recover accounts for family or team members
0 -
Hi @pol !
If you don't want to use a subscription you are still able to buy a standalone license for 1Password 7 if you want to. But you have to buy this license while installing version 7. Right before creating a new account or logging into your existing account. ;)
But the subscription is the preferred model which should be used. Here you can read about the benefits of the membership:
https://support.1password.com/explore/membership/No matter how you decide, have fun with 1Password! :)
0 -
That's good to know @DenalB! I usually prefer non subscription based services due to long term cost, and final price of the benefits. For instance, I was a usual user of Adobe products, right until they launched their subscription based business model. Great for them, bad for most of customers, unless you are a really heavy user who takes advantage of their software professionally. The only program I still pay for from them is Photoshop, because I don't really like any alternative. All the rest, gone.
As I said though, 1Password is different, I use it a lot and I find it really useful, so that's why I decided to go subscription route.
Thanks for the info though!
0