Why is 1Password 8 less secure than 1Password 7 yet you require an "upgrade" from 7 to 8?
I have "local" vaults that are on Dropbox. Therefore to steal my passwords for crypto and banking, you need to steal my master password for 1Password and for Dropbox. The most likely way to do that is to get control of my machine. Barring that, you would have to get control of both 1Password server and Dropbox servers. If you were the government, you would have to know my setup to subpoena both.
With 1Password 8, you only need to control (a specific) one of 1Password's servers. The one that de-crypts the password to sends it back to client via their api. Their API gets to see the unencrypted password. At that point, if breached, a bad actor can steal all your money. At that point, they can decrypt and send the government all your passwords.
I am getting messages in my browser that I must upgrade and host all my passwords on their server where it is susceptible to these attacks.
I don't want to have this poor security. Why not support local vaults? Is the government forcing this on you?
1Password Version: 7
Extension Version: 7
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:Why is 1Password 8 less secure than 1Password 7 yet you require an "upgrade" from 7 to 8?
Comments
-
Did you read this?
https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/
0 -
With 1Password 8, you only need to control (a specific) one of 1Password's servers. The one that de-crypts the password to sends it back to client via their api.
There is no such server. All encryption and decryption is done locally on your devices. 1Password.com only ever handles fully-encrypted versions of your data and does not have any of the keys necessary to decrypt it.
You can find a digest of our zero-knowledge security model here: About the 1Password security model.
The short version is that only you have the keys to your data, and we don't. We host the encrypted data and sync it between your devices, and 1Password on your devices performs the encryption and decryption locally with those keys. There is no back door to 1Password, and we wouldn't be able to provide any unencrypted data to anyone, even with a court order: Data Availability for Law Enforcement.
If you have any questions about how our security model works, I'll be happy to answer them. :)
— Grey
0 -
@sroussey In case you are confused if 1Password says "all encryption and decryption is done locally on your devices" and at the same time see clear text username and passwords in your login items on the 1Password webpage sent by a 1Password webserver, keep this in mind: These usernames and passwords aren't actually sent by the server. They are inserted dynamically into that webpage by your browser by a locally running Javascript.
The webserver sends an empty html form without any data and the encrypted vault data, and the Javascript app running locally in your browser takes the encrypted vault data, decrypts it locally, and inserts it locally into that empty form. So the decrypted cleartext data is only processed locally, not transferred over the internet between a webserver and a browser.
0