Is any of my information stored locally in Windows 7 with a 1Password.com account?
I've been a long time user of 1Password apps for my personal password management on Mac, iOS, and Windows using Dropbox to keep things in sync. I LOVE the functionality that this has provided over the years. Everything has worked seamlessly.
Yesterday I subscribed to a 1Password.com account so I could also include my Windows 7 work computer in the mix. Based on what I read, it was my understanding that my main password vault would be stored in the cloud. The software has been loaded and the browser plugins have been installed. Everything is working fine. However, I do have a question about the data storage. Is any of my information being stored locally on my work computer? If so, how accessible is this?
Any feedback would be appreciated. Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@Brian_S2: That's a really good question, since it sounds like this is not a machine you own or control completely. There are two ways of looking at this:
Using the 1Password.com web interface
In this case, you data is stored only on the server. It is decrypted and cached only temporarily in the browser as you access items in your vault, but once you logout (or even reload the page), it is no longer accessible.
The one thing you need to be aware of is a little checkbox on the 1Password.com sign in page, which states "This is a public or shared computer". If you leave that unchecked, your Secret Key will be saved in the browser's local storage. You may want to check this box to prevent this from happening on a computer you don't control.
Using the native 1Password app
Here 1Password caches a copy of the encrypted database locally, so you can access it even while offline, when you sign in and authorize the app. There isn't a facility for a "one time login", but you can sign out at any time if needed. I do this when traveling.
So while in this case 1Password is storing data on the device, it is encrypted until you both enter your Master Password to unlock and access an item. Unlocking does not decrypt the entire database at once, only individual items on demand. However, if someone else owns the machine, they may have the ability to capture keystrokes or your data as you access it.
Mitigating circumstances
While someone who is able to obtain your Secret Key from the device/browser will also need to learn your Master Password to be able to access your data/account, if you have reason to believe that there has been a compromise, you have a couple options:
- You can deauthorize individual devices
- Your Secret Key can be regenerated
You can do this on your Profile page at 1Password.com. better safe than sorry.
A final note of caution and hope
Generally we recommend against accessing sensitive data on an untrusted device, as its owner may be able to monitor and collect data as you access it. This applies to all of the above, and ultimately you'll be the best judge of how to proceed. It's your data after all.
But the good news is that a 1Password.com membership allows you to use 1Password on all of your devices, so while not as convenient as using it on a work computer, if you perceive that as being a threat, you can always access your sensitive data on a mobile device of your own that you carry with you.
And last but not least, your 1Password data is encrypted locally, so whether you access it on your work or personal device, nothing is transmitted in the clear, and 1Password isn't relying on the security of the network or TLS/SSL to secure your data either. And since the keys used to encrypt it (your Secret Key and Master Password) are never transmitted, someone capturing your encrypted data from our server, during transmission, or cached on your device will not be able to decrypt it.
I hope this helps. Be sure to let me know if you have any other questions! :)
0 -
Awesome reply! This will help me make an informed decision on how I want to manage things on my work computer. You are correct in that this is not a machine that I control completely, although I am the primary user. I'll ponder things over, but on first review it seems like the 1Password.com web interface might be a good choice for what I want to do.
On a side note, I'd like to give your team kudos for the thoughtful and detailed responses being provided in these forums. The customer care here is pretty amazing compared to what I've seen elsewhere. People may not always get the result they want, but they do get an engaged, professional response with a lot of consideration for the user. Thanks!
0 -
You're welcome, @Brian_S2 and thank you for your praise, we aim to please :)
Now if there's anything else we can help you with, feel free to ask.
Cheers and have a great weekend.
Alex
0