Trying out 1Password 7 Mac Troubles

dtomack
dtomack
Community Member

Hi,

I've been a long-time user of 1Password. In the past I considered upgrading to 1Password7, but shied away. I have been running 1Password 6 on my Mac. I decided to try the update and go forward with 7, but I wanted to give it a spin and make sure I am going to be okay with it. That's when things went sideways.

I have tried 1Password 7 before. And I went back to using 1Password6. I managed to do this successfully; long ago.

Today, when I installed 1Password 7, it looks like it deleted 1Password 6; a little unfriendly. And when it started up, it loaded the old 1Password 7 vault-set from when I last tried 1Password 7. This does not have my latest data in it.

What I've tried:

  • I reset 1Password 7 (Help>Troubleshooting>Reset all 1Password Data). Then I imported a back-up that I have of the 1Password 6 data. Almost good enough, but 1Password 6 didn't write a new back-up when it quit.
  • I tried importing the 1Password 6 data via the start-up window, but it wants an opVault file. My 1Password 6 data is in ~/Library/Application Support/1Password 4/Data/OnePassword.sqlite not in an opVault file.
  • I tried to find and use the local sync file, but was unsuccessful. I'd have looked in the 1Password 6 preferences pane, but....

Prior to quitting 1Password 6 and installing 1Password 7, I did sync my iphone and ipad to the 1Password 6. So, hopefully they have the latest vault data too. Though, I do have multiple vaults and only sync the primary vault to those devices.

So, how can I import my 1Password6 data into 1Password 7? I assume that I can no longer get a 1Password6 installer to put it back to try to get the preferences values and vault. (I haven't yet gone looking for a plist file for the preference values for 1Password6).

Oh, and it appears that I'm in read-only mode for 1Password 7 because of my previous trying it out.

1Password 6 was the latest version.

Help please?

Thank you,
Darin


1Password Version: 7.8.5
Extension Version: Not Provided
OS Version: MacOS 11.2.1
Sync Type: local folder and LAN

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @dtomack!

    So, how can I import my 1Password6 data into 1Password 7? I assume that I can no longer get a 1Password6 installer to put it back to try to get the preferences values and vault.

    If you open your Applications folder on your Mac, do you see a zipped copy of 1Password 6?

  • dtomack
    dtomack
    Community Member

    Hi ag_ana,

    If you open your Applications folder on your Mac, do you see a zipped copy of 1Password 6?

    Nope.

    The only 1Password I had in Applications was 1Password 7.

    I managed to work around the issue, but it was a pain. I keep decent back-ups, but I stopped backing up the Applications folder a while ago. Fortunately, I did have a back-up of 1Password6. I restored it.

    So, I managed to solve my issue above by restoring 1Password6, opening it up, and then having it create a backup of the password database. After that, I was able to restore 1Password7 from that back-up. It was disappointing to have to deal with that.

    I do have a different issue/question as well: I'm okay/happy with paying a subscription fee for the latest 1Password. However I really do not want my passwords stored on your servers and available via the web app (my.1password.com). It was tricky to avoid having the app copy my vault into the "Personal" vault.

    I'm one of those people who wants to just run 1Password as though it is stand-alone. I use my LAN to sync between devices. I keep my own back-ups of my password vaults. I'm skittish about my passwords being uploaded anywhere--or frankly the password manager having network connectivity somewhere where it can exfiltrate my passwords. (I work on a web application that deals with customer data).

    Is there a way to completely disable that functionality? I don't want to accidentally store data in a web vault. I don't want to accidentally have my data in my vault(s) copied into the web stored vault.

    Thank you,

    Darin

  • dtomack
    dtomack
    Community Member

    Hi @ag_ana!

    As noted in my previous comment, I think i got past my issues.

    My biggest concern that I still have a question about is the "Can I disable the web-saved Personal vault?" I want to ensure that I will never accidentally or otherwise store any data on your servers. And, I want to ensure, as best I can, that no vault data is otherwise transferred/copied to the Personal vault or otherwise synchronized to your servers. Is there a way to do this? (For now, I have my firewall block network traffic to your server, but that is not a sustainable solution. I think it interferes with retrieval of the watchtower data.)

    I'm fine (happy?) to pay for the software as a subscription and get updates. I just don't want my vault data stored on your servers. I realize that it is possibly only a slight hedge against compromise, but I see your storage of vaults as encrypted blobs as still being a target for hackers. And, even if they can't crack those vaults now, we don't know if they will be able to in the future. And the large collection of that data in one place makes it attractive to attack and try to exfiltrate even if you cannot crack/decrypt those vaults now.

    Cheers,

    Darin

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for following up. Older versions of 1Password are available on our download page, but glad you were able to sort things out. It can cause problems to have multiple copies of 1Password installed, so, as with any time you update an app, that will remove the old version. That does not impact 1Password data, however, as that's stored separately. Unless you delete it yourself or have some other software do it, it will remain just as you left it. Although I'm sorry for the difficulty, migrating to 1Password 7, going back to 1Password 6, and then later going back to 1Password 7 again isn't something we can reasonably design around, so you ended up with whatever data you originally migrated to 1Password 7 being outdated until you reset the app and re-did the migration, but it sounds like you should be in good shape there now. :)

    Anyway, although it's not something we support or recommend -- 1Password memberships are designed to be used as 1Password memberships, with the encrypted data stored in the account so that it's automatically backed up and available on any devices where you sign in, which also "licenses" the app, and "disabling" the account you're using is not possible, and not something we're going to design for -- I'd be interested to understand your specific use case and reasons driving you to pay for but eschew most of the benefits.

    For example, you mentioned network connectivity and customer data. It's important to note that 1Password uses exclusively secure communications (and does not depend solely on TLS), and even then the information we have about you is intentionally very limited because we don't want to be in a position where our problem may become yours, for example if we were attacked externally or compromised internally. We have some basic information about you which you provide when signing up and using the service which is needed for us to be able to provide it. You can find more details here:

    1Password privacy

    Regarding security, as always, your 1Password data is encrypted locally on your device and the “keys” to decrypt it are only ever in your possession; and with a 1Password account you have the added protection of the (128-bit, randomly-generated) Secret Key. You can find more details of how all of that works in the white paper:

    1Password security

    Since the "keys" are not ever transmitted to us, and both (Master Password you choose and unique Secret Key) are needed to decrypt the data, even if someone stole the encrypted database from us they would need to get those in order for it to be useful to them. They can only get those from you, and at that point it would be easier for them to get the encrypted data from you as well. A competent attacker will do that, and an incompetent attacker that inadvertently tries to do things the hard way will not be successful.

    Ultimately, either way, even if we didn’t have our customers and livelihood to worry about, we’re still motivated to make any changes necessary to protect data as technology advances, because we're using this ourselves and don't want our own information exfiltrated or compromised either, as 1Password users ourselves. We would not be 1Password users ourselves without these kinds of risks being mitigated. Security is not an absolute, so we'll continue to evolve alongside technology, which isn't a scary thing as it benefits "good guys" and "bad guys" alike. And if you have any questions about our security model, we're happy to answer them. :)

  • dtomack
    dtomack
    Community Member

    Hi @brenty,

    Thank you for responding.

    I understand about my case being out of the norm with trying 1Password 7 and going back 6 and then, much later, decided to update. It was just a frustrating situation.

    I'd be interested to understand your specific use case and reasons driving you to pay for but eschew most of the benefits.
    Maybe I am misunderstanding the business model, and as such, have done the wrong thing. But my understanding is that I have two choices:
    1. Sign up for a membership, which is a subscription model for paying for 1Password
    2. Purchase a new one-time license for 1Password7. Giving me access to just 1Password7 and its updates.

    I work for a large software company that offers a subscription model for access to its software. I am a software developer. I understand the issues with the "purchase model"; there is no such thing as developing a product once and you are done. Any OS you are on is a moving target. Requires costs to update. etc. As such, I'm okay with paying a reasonable subscription cost for software.

    Maybe what I really want is a subscription version of 2 above. Right now, I am still in the 14 day trial window for my sub. Maybe I'll switch to the license?

    On the security issue. I do not doubt your rigorousness with security. And, the methods outlined in your message, on your website, and in your white-papers seem sound. But, here are my catches:

    • My vault contains all my sensitive information. Banking data, passwords, account ids, etc. So, I'm a bit paranoid about it.
    • As an individual, I am not much of a target. Sure a hacker could get ahold of my vault, but by itself, it is not worth much. And it should be hard to crack. Probably not worth the effort they'd have to put in.
    • 1Password, holding lots of vaults for lots of users. That makes your service a large target; possibly interesting. (The hacks against LastPass seem to validate this idea. Also consider trying to hack into my machine to steal one CC number vs if you could hack into Target and get a database with millions of CC numbers. The latter target is probably more appealing.)
    • So, if I could hack 1Password's service, so what? I'd wind up with a lot of encrypted data I can't access. And that data is well encrypted using two keys (and a salt? I can't recall). And I can't get the keys from 1Password and I'm stuck. But, CPU time is cheap, and storage is cheap and getting cheaper. So, if I could get all the vaults, that might okay. Maybe I can crack them next year, or 4 years from now... Or, if a flaw were discovered in the methods used for encryption, then I have copies of all those vaults with the data encrypted with that flaw. Maybe cracking gets easier? (There have been flaws discovered in ye olde WEP, WPA (I know not encryption for files), but other flaws have been found in other older methods of encryption as well that made cracking easier)
    • My vault is not impossible to get to. It is just harder to get to--not on a central server--and as a stand alone vault, not valuable for the effort.

    That pretty much sums up my paranoia.

    Thoughts? Should I be considering the stand-alone licenses instead of subscription?

    Thanks!

This discussion has been closed.