To protect your privacy: email us with billing or account questions instead of posting here.

Lost 1Password 6 to 7 user

pol
pol
Community Member

Hello everyone!

I've been a user of 1Password for almost 10 years now. I started with 1Password 4 (I think), and I was using 1Password 6 until some hours ago.
I recently bought a new Mac Mini M1, and while installing apps I tried to download 1Password 6 to discover that 1Password 7 is a whole different thing. (I didn't check for updates too often, no).

I never liked subscription based services, specially web-based ones, so I considered downloading 1Password 6 (I found it on your website). Since 1Password has always been such a great service for me though, I decided to give 1Password 7 a try, but after reading about it and creating and account and so on, I have some questions/doubts:

  1. I used to have my keychain (.agilekeychain file) in Dropbox, which if I'm correct was encrypted locally using AES256, and then synced with Dropbox itself. Now it seems that the passwords are stored in your servers, and although they are also encrypted, I feel this is less secure than having the keychain locally... I assume I'm wrong here, but I can't help but feel that way. What am I missing? Specially since you can access your whole keychain on the website itself...

  2. What happens if some hackers access your database? Because if I understood correctly, if Dropbox data was compromised you were still OK since the file in there was completely AES256 encrypted. Is the same case with you guys?

  3. If I choose to go the my.1password route, I assume I will be ditching Dropbox as a syncing method, right?

  4. The Emergency Kit... I gues that it is supposed to be kept in actual paper somewhere safe, am I right? Just in case I forget my Master Password? I used to keep all my recovery codes for website logins inside 1Password... it's gonna be tough for me to trust a piece of paper, specially since anyone could get all my passwords if they get it.

  5. The Secret Key confuses me. What is it for? I assume it's just another security layer, like 2FA on your cell phone, but still... why the need?

I have a lot more questions that kind of where answered reading blog posts and such, but my main concern is security wise.

Thank you!


1Password Version: 7.8.2
Extension Version: Not Provided
OS Version: macOS Big Sur
Sync Type: ???

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @pol!

    I used to have my keychain (.agilekeychain file) in Dropbox, which if I'm correct was encrypted locally using AES256, and then synced with Dropbox itself. Now it seems that the passwords are stored in your servers, and although they are also encrypted, I feel this is less secure than having the keychain locally... I assume I'm wrong here, but I can't help but feel that way. What am I missing? Specially since you can access your whole keychain on the website itself...

    1Password data is encrypted no matter where you store it. If you store it on 1Password.com however, it is additionally encrypted with your Secret Key for stronger encryption:

    About the 1Password security model

    What happens if some hackers access your database? Because if I understood correctly, if Dropbox data was compromised you were still OK since the file in there was completely AES256 encrypted. Is the same case with you guys?

    Yes, data is still encrypted, so an attacker would not be able to do anything with it unless they had both your Master Password and Secret Key. As I mentioned above, data stored on 1Password.com is encrypted with stronger encryption, since you don't only need your Master Password to decrypt your data, but also your Secret Key.

    If I choose to go the my.1password route, I assume I will be ditching Dropbox as a syncing method, right?

    Correct.

    The Emergency Kit... I gues that it is supposed to be kept in actual paper somewhere safe, am I right? Just in case I forget my Master Password? I used to keep all my recovery codes for website logins inside 1Password... it's gonna be tough for me to trust a piece of paper, specially since anyone could get all my passwords if they get it.

    That's right, we recommend to print the document and store it in a safe place for emergency reasons. The information included in your Emergency Kit is not like recovery codes though: if you stored your Secret Key and your Master Password inside 1Password, it would not help you if you lost access to your Master Password or Secret Key, because you would not be able to unlock the app without them in the first place.

    The Secret Key confuses me. What is it for? I assume it's just another security layer, like 2FA on your cell phone, but still... why the need?

    It's not for 2FA, it's for stronger encryption:

    About your Secret Key

  • pol
    pol
    Community Member

    Hello @ag_ana, thanks for the reply!

    OK so, in the end, this new method that 1Password 7 uses is more robust and secure than the previous method. I'd like to fully understand the technicalities behind it, but it seems pretty complicated to be honest.

    That's right, we recommend to print the document and store it in a safe place for emergency reasons. The information included in your Emergency Kit is not like recovery codes though: if you stored your Secret Key and your Master Password inside 1Password, it would not help you if you lost access to your Master Password or Secret Key, because you would not be able to unlock the app without them in the first place.

    I never wrote down my Master Key before, so I won't this time either. I'll use the same, which is very secure and impossible to guess.
    The Secret Key on the other hand... seems impossible to remember, so I'll probably have to write it down somewhere... although it feels so insecure to have that data written on a piece of paper. If it ever got "found" by the wrong person, they would have instant access to my passwords. :/

    By the way, what happens if I forget my Master Password and only have my Secret Key? Am I in trouble?

    Thank you!

  • ag_ana
    ag_ana
    1Password Alumni

    @pol:

    I'd like to fully understand the technicalities behind it

    If you want all the details, I recommend our security design white paper here :+1:

    The Secret Key on the other hand... seems impossible to remember, so I'll probably have to write it down somewhere... although it feels so insecure to have that data written on a piece of paper. If it ever got "found" by the wrong person, they would have instant access to my passwords. :/

    There are additional ways to get to your Secret Key if you prefer not to have it printed:

    Find your Secret Key or Setup Code

    Using multiple devices is probably the best way to do this.

    By the way, what happens if I forget my Master Password and only have my Secret Key? Am I in trouble?

    You must make sure you always know your Master Password, because the Secret Key is not enough to decrypt your data. You would not be able to unlock the 1Password app without your Master Password. For your privacy and security, your Master Password is not stored anywhere, only you know it. This means that it is not possible to recover it unless you are a member of a Families or Business accounts. If you have an Individual account or a standalone license, the only thing you can do is try to recover it:

    If you forgot your Master Password or you can’t unlock 1Password

    If, on the other hand, you are part of a Families or Business account, you can ask another Admin to recover your account for you:

    Recover accounts for family or team members

  • pol
    pol
    Community Member

    Hello again @ag_ana!

    If you want all the details, I recommend our security design white paper here :+1:

    Amazing document. Worth a read, although I meant that I wish I understood all that. I'll give it a try though :)

    Thanks for all the info and replies!

  • ag_ana
    ag_ana
    1Password Alumni

    You are very welcome @pol! If you have any questions, please feel free to reach out anytime.

    Have a wonderful day :)

  • DenalB
    DenalB
    Community Member

    Hi @pol !

    If you don't want to use a subscription you are still able to buy a standalone license for 1Password 7 if you want to. But you have to buy this license while installing version 7. Right before creating a new account or logging into your existing account. ;)

    But the subscription is the preferred model which should be used. Here you can read about the benefits of the membership:
    https://support.1password.com/explore/membership/

    No matter how you decide, have fun with 1Password! :)

  • pol
    pol
    Community Member

    That's good to know @DenalB! I usually prefer non subscription based services due to long term cost, and final price of the benefits. For instance, I was a usual user of Adobe products, right until they launched their subscription based business model. Great for them, bad for most of customers, unless you are a really heavy user who takes advantage of their software professionally. The only program I still pay for from them is Photoshop, because I don't really like any alternative. All the rest, gone.

    As I said though, 1Password is different, I use it a lot and I find it really useful, so that's why I decided to go subscription route.

    Thanks for the info though!

  • DenalB
    DenalB
    Community Member

    I know what you mean @pol. That’s why I used Adobe Elements and was happy with this. I also don’t like subscriptions and try to avoid them. But 1Password is different. ;)

This discussion has been closed.