Can't create a new vault from the start?
Hi guys. Long time no see, right? ;)
I'm having trouble using 1P on my new PC. I'm running Windows 10 64 bits. I just download the last version 6 of 1P, and on the screens I have to "Sign in in my 1Password account". But hey, I think I don't have any.
I bought last year a life-licence, but on the new app, I cannot find a way to create a new vault then register in "Help > Enter Licence Key" as it once was.
As many, I'm concerning about the strateic choice the AgeileBits team did, putting all his effort in a web based solution (cloud). That's why a lot of us switch from LastPass to 1Password, in order NOT to be vulnerable from an attack of 1Password server (no matter the security you put on your infrastructure).
So I really hope they is still a way to create and manage vaults without any web storage!
Thanks,
1Password Version: 6
Extension Version: Not Provided
OS Version: W10
Sync Type: Not Provided
Referrer: forum-search:New vault windows 10
Comments
-
Hello @4wk_,
Thank you for getting in touch again! ;)
If you are planning to use a local vault, you should download 1Password 4, not 1Password 6. Here is the direct download link.
We are building 1Password 6 from scratch and it is now focused on our 1Password accounts. The end goal is to bring 1Password 6 for Windows to a feature parity with 1Password 4 and have one modern 1Password app for Windows.
We are aware of past attacks on other services, so we designed 1Password accounts with such potential attacks in mind. You won't believe that, but they are more secure than a local vault. :)
Please let us know if you have more questions, we will be happy to answer them. Thanks!
++
Greg0 -
Hello Greg, thanks for answering.
I read 2 posts on the support site plus the one you provided me. I'm a bit sad that I have to stay with 1P 4 if I want to stay with a local vault.
Here's is an example of a plausible scenario:
- 1Password servers are really attractive, for the sensible data they stored.
- Of course, all this data is not exploitable without both master password and account key.
- Let's say someone succeed in logging on your server. Someone clever: all this raw data is not exploitable, so he put a keyloger or whatever, to record communication / transaction between the 1Password server and us, your customers.
- You guys don't notice the problem for the first week (I'm in IT, that's happen)
- He can then retrieve all the data (masterPwd, account key) recorded by the malware during the week. And with the raw encrypted data, it's bingo: he can decrypt it
(I'm not saying this will happen, but that is technically possible. Right ?
Quite the contrary, if I'm using the local vault:
- I HAVE TO BE the specific target of the hacker / enemy. That make all the difference!
- If I'm the specific target, there is no security or encryption stronger enough to protect my data (keylog, phishing, stealing hardware, camera, etc). So that's ok for me (and others) to get compromised If i'm the target ;)
It's actually not paranoia: I really doubt to be the specific target of whoever, cause I'm a simple citizen. On the other hand, my data could be compromised just because I'm a part of the 1Password user. Right?
What is your opinion?
0 -
@4wk_: Thank you for getting back to me! :+1:
You are raising the right questions. :) However, the design of 1Password accounts makes your scenario not so plausible:
- Let's say someone succeed in logging on your server. Someone clever: all this raw data is not exploitable, so he put a keyloger or whatever, to record communication / transaction between the 1Password server and us, your customers.
- You guys don't notice the problem for the first week (I'm in IT, that's happen)
- He can then retrieve all the data (masterPwd, account key) recorded by the malware during the week. And with the raw encrypted data, it's bingo: he can decrypt it
- We use end-to-end encryption. All cryptographic keys are generated and managed by the 1Password client on your devices, and all encryption is done locally.
- We don't know your Master Password and Account Key. We are never in the position of learning your Master Password or your cryptographic keys.
- Nothing “crackable” is stored on our servers. Often a server will store the password hash. If captured, this can be used in password cracking attempts. Your locally held Account Key means that the data we store cannot be used for cracking attempts.
If you are interested in learning more about the security design of 1Password accounts, please take a look at the White Paper, published on our website. It explains every point in greater detail.
Still not convinced? Please share your additional concerns with us and I will ask someone from our security team to weigh in. :) I am glad we are having this conversation. Thank you!
Cheers,
Greg0