Local OPVault vs 1Password.com local database

tentalila
tentalila
Community Member

First of all, I want to let you know what a great job you all are doing. I searched long and hard for a password manager that works for me, and I'm really glad I landed with you guys. I'm one of those users that is not yet ready to put my data on the cloud, so it was very important to have a local sync option and keep all data in my LAN.

I'm currently using my NAS to sync my Macs via folder sync and then using WLAN syncing for my iOS devices. Have had no issues - it works beautifully.

For local syncing, my understanding that the "cost" of doing this is that a 1Password account will use the account key + master password to encrypt all data - including locally cached data. Whereas, using OPVault for folder syncing will encrypt the data using just the master password. My understanding also is that 1Password account will use PBKDF2 will 100,000 iterations whereas a local OPVault will use PBKDF2 with 10,000+ iterations depending on the computer's processing capacity (am using a 2008 Mac Pro, my trusty workhorse).

So my take is that there is a difference in these two encryption schemes, but I'll accept the trade-off to assuage us paranoid types. I've taken creating a good master password to heart which should mitigate risk in using OPVault versus an online 1Password encryption.

Am I thinking about this correctly? Outside creating a strong master password, are there any other suggestions to maximize security using local syncing and OPVaults? :) Again, you guys rock and I really appreciate what you've put together.


1Password Version: 6.7.1
Extension Version: 4.6.6.90
OS Version: 10.11.6
Sync Type: Local

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2017

    @tentalila: Wow! You've certainly done you're due diligence with regard to 1Password's security model. Cheers! :glasses:

    I do want to clarify a few things though, in case it helps. First, there is no additional risk when using OPVault. 1Password.com data is handled very similarly. The differences between the them are two-fold:

    1. There's a lot of infrastructure security with 1Password.com which simply doesn't apply to OPVault. The database itself is built on the same fundamental technologies (AES, PBKDF2, etc.) But of course with 1Password.com we have a centralized server handling storage and sync, so there's authentication and transmission protocols (SRP, for instance) which we can use there, but which are not applicable to local vaults.
    2. 1Password.com also uses the Secret Key in addition to your Master Password to encrypt the data. Again, this is an extra step we've taken (like server security) to protect 1Password.com user data since we have to assume that 1Password.com will be a target for attack and could be breached (and the database stolen) at some point. We put a lot of effort into preventing this from ever happening, but we're planning for the worst and acting accordingly. There's just too much at stake.

    So while I'm not going to argue that 1Password.com is not more secure overall compared to OPVault (it is — it would arguably be easier for someone to gain access to one of your devices), that's not because OPVault is insecure. We've just taken things much further with 1Password.com (you can read more details in the white paper, if you're curious), both because we can and since the threat model is different. In either case, using a long, strong, unique Master Password will ensure that it's infeasible for someone to break into your data...though with 1Password.com is not possible to perform a brute force attack on the Master Password alone, since the Secret Key is also needed.

    So, suffice to say, it sounds like you're already doing everything you can to protect your local vault. Literally the only things you could do to reasonably increase your security would be to use and even stronger Master Password and/or use a 1Password.com account for the added benefits. Either way, it may be overkill. But it's your data and your call. So it warms my heart to say that really I have no other advice for you, other than keep it up. Excelsior! :sunglasses:

  • tentalila
    tentalila
    Community Member

    Really appreciate the thoughtful response, brenty! Happy to be part of this clan. :)

  • Glad to see that Brenty answered your question to your satisfaction. Let us know if you have any more questions. :)

    Rick

This discussion has been closed.