Does 1Password8 support standalone vaults
I am using 1Password7 with stand-alone vaults that I synchronize myself using a private server. I would like to upgrade to 1Password8, but the online description of the process is not very clear (see https://support.1password.com/migrate-1password-account/).
Could someone here tell me if 1Password8 allows you to use private vaults that the user can synchronize using their own server (like Nextcloud, dropbox, icloud, ect...)? The instructions for migrating state that you first need to migrate your vault to a 1Password "account". I presume that this means that it is an online account where my data are stored on your servers. If I were to do this, could I later decide to use a stand-alone vault?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
No, 1Password 8 does not support standalone vaults. 1Password 8 is our first membership only offering. Yes, there is a an online account portion with membership. No, 1Password 7 is the last version to support standalone vaults. This may help too. https://1password.community/discussion/129161/the-future-of-local-standalone-vaults/p1
0 -
Thanks for the quick response, even though it is not what I was expecting.
I have used 1Password for more than a decade and I have been very happy with it and have promoted it to many of my friends and colleagues. I was never happy that 1Password was a closed source black box, but given that I was able to store my own vaults on my own servers, I was satisfied that there were no real security concerns to worry about.
I understand that some people might appreciate the simplicity of having everything stored on the cloud. I also understand that 1Password does need to make a profit somehow. Unfortunately, for me though, the software as a service approach, closed source products, and the storing all information in the cloud is just too much for me swallow. If 1Password were to make the client open source, I would have been more than happy to pay a 1-time fee (or perhaps a subscription) to use your software.
As soon as 1Password7 stops working with web browsers (I received a warning today that the browser plugin is no longer supported and will stop working at some point), I will be transitioning to KeepassXC, which is free, open source, and allows you to store your own vaults on your own servers. It also imports the 1Password vault (with attachments) without any problems as far as I can tell. I don't blame you for your business decisions, but at the same time, I feel that you have abandoned your most ardent users that have been with you for over a decade. As much as I would like to blame you for this, it is my own fault: Whenever you use closed source software, there is a good chance that you will be burned at some point. In retrospect, I have been burned every time.
In any case, thanks for providing a great piece of software, up to, but not including version 8. And thanks also for making it easy for non-tech-savy people to use a password manager.
0 -
Thank you for using 1Password for so many years and for telling your friends and family about us so that they can also keep their data safe and secure. We really appreciate that you've been with us for so long. 😊
1Password undertakes regular independent security audits to make sure that both our code and our design is secure. You can read about the audits here: https://support.1password.com/security-assessments/
Unfortunately, for me though, the software as a service approach, closed source products, and the storing all information in the cloud is just too much for me swallow.
I would encourage you to read through our security design. All of your information is end-to-end encrypted locally on your devices before being backed up to your 1Password account. 1Password account vaults are much more secure than older standalone vaults, your 1Password account data is protected and encrypted using a secret that is derived from both your account password and your Secret Key. Old standalone vaults didn't include the Secret Key nor did they include other modern security features such as two-factor authentication.
This makes using a 1Password account vault much more secure than using an older standalone vault.
If 1Password were to make the client open source, I would have been more than happy to pay a 1-time fee (or perhaps a subscription) to use your software.
I'm not aware of any plans to fully open source our apps however we do regularly open source certain code and tools: 1Password · GitHub
If you haven't already then please fill out the self-hosting survey as we're collecting data regarding demand for a version of 1Password.com that folks can host on their own server: Self-hosted 1Password kick-starter
That all being said, thank you again for being with us for so long and if you are moving on then I'm happy that you're still planning to use a password manager to keep yourself safe, even if that isn't 1Password.
-Dave
0 -
I wish I could verify that what you said is in fact correct.
In any case, I your servers were compromised, and the attacker was able to retrieve all my data, how would 2FA help?
0 -
The security audits that I mentioned in my previous post are one way to verify that 1Password does what it claims that it does. The audits are conducted by independent third-party organizations that are well known and respected in the industry. We open 1Password to their inspection and then we publish their findings publicly.
We also have a very high-paying bug bounty program to incentivize the community to test 1Password and to report security issues or vulnerabilities: Strengthening our investment in customer security with a $1 million bug bounty
In any case, I your servers were compromised, and the attacker was able to retrieve all my data, how would 2FA help?
You're right, 2FA wouldn't help there. That's where our dual-key architecture and cryptography comes into play. We take data security very seriously and we deliberately limit the information that we can access here on our end. As mentioned, all of your actual 1Password data is end-to-end encrypted using a private key derived from your account password and Secret Key so all that we see on our end are encrypted blobs of gibberish. If our servers were breached all that the attacker would be able to get is that encrypted gibberish, not your data.
Our Chief Technology Officer actually wrote a blog explaining how our security design protects your data even if our servers are breached: How 1Password Keeps Your Data Safe, Even In the Event of a Breach
-Dave
0
