Local vault; no Secret Key?
Comments
-
Hi,
I'm currently not using 1PW subscription due of the fact, that the data will be stored on your servers outside of europe. Currently I'm using 1PW 4 with local vault support.
Since the subscription model has been introduced I'm following these kind of discussions. During the last months I saw several threads like this, where users are not able to login with valid logon credentials (MP + SK) anymore, but all ended with clarification via email.
What are the results of all these threads? Were all these users finally able to access there data again?Due of the fact, that currently no local backup for subscription based vaults exits, this is a real interesting topic.
0 -
Hi @Finke03,
Thanks for taking the time to write in.
During the last months I saw several threads like this, where users are not able to login with valid logon credentials (MP + SK) anymore, but all ended with clarification via email.
Nobody will ever be able to login to 1Password 4 for Windows using a valid Master Password and Secret Key because 1Password 4 for Windows doesn't support 1Password memberships. :)
The result of the email threads is generally to point people in the direction of the newer 1Password 6 for Windows, which does support 1Password memberships, and as such they are able to login (assuming they do actually have valid credentials).
Due of the fact, that currently no local backup for subscription based vaults exits, this is a real interesting topic.
There is a local cache of subscription based vaults, which largely serves the purpose folks are looking for an offline backup for: offline access to their data. However you are correct that you must be online (and able to login to your account) to actually restore a backup or cache the data on a device for the first time.
I hope that helps. Should you have any other questions or concerns, please feel free to ask.
Ben
0 -
Hi Ben,
I think there was some misunderstanding regarding my question.
It's clear to me, that 1PW 4 with local vaults only uses the masterpassword for the encryption.
My intention to write this post was, that I saw some threads during the last months, in which users reported that they are not able to access their subscription based vaults (via 1PW 6 and via Web access). All of these users ensured to use valid logon credentials (MP and SK) from their emergency kit.In each of these threads the discussion has been ended with the words "let's discuss this via email".
Now my question: were these guys able to access there vaults again?
My concerns are that it's possible to get locked out due some bugs in the 1PW implementation. A recovery of the data will be not possible, because you will handle the backups and it's not possible to create a local backup from my subscription based vaults.0 -
I think there was some misunderstanding regarding my question. [...] In each of these threads the discussion has been ended with the words "let's discuss this via email".
@Finke03: Ah, sorry about that. Indeed, that's a bit different. I can tell you a few things to both summarize and clear things up:
- First and foremost, any conversations involving account or purchase information will need to be private.
- We don't have anyone's (well, except our own) Master Passwords or Secret Keys and cannot recover/reset them, but in cases where there is a team or family administrator to perform recovery we can at least point them in the right direction — but again not publicly.
- Without the Master Password and/or Secret Key (contained in the Emergency Kit), or an admin who can recover a users' account, it is not possible for the person to access their data; so at that point the only option is to start over — and, again, often this involves helping them migrate to a new account, which would also need to be done privately.
Now my question: were these guys able to access there vaults again?
As far as whether or not any of the particular individuals in the previous discussion were able to access their data, it's up to them if they choose to share that information. But speaking in general terms, I see a lot of folks who have setup multiple accounts and/or local vaults, choose different Master Password (or, of course, have different Secret Keys generated) for them and get them mixed up — or simply forget to update their Emergency Kit if they change something. Ultimately, since we have none of this information (all 1Password users' security depends on that), the only thing we can do is offer educated guesses and try to help people figure out what's what.
My concerns are that it's possible to get locked out due some bugs in the 1PW implementation. A recovery of the data will be not possible, because you will handle the backups and it's not possible to create a local backup from my subscription based vaults.
I haven't seen that happen even once. Even with local vaults something like that was rare, but not impossible because if the data is damaged on the user's device it cannot be decrypted using the Master Password any longer. Consumer file systems and storage media suck. That's why I love 1Password.com's automatic offsite backup and versioning (which enables item history). Even if something does go wrong at some point, there are multiple redundancies and we can or roll back. And you can bet that we go to a lot of trouble to avoid anything like this happening, because frankly our livelihood depends on 1Password being reliable and available.
And as you can probably tell, I'm pretty serious about backups, but I can't afford (time or money) to test and maintain every aspect of my hardware and software setup. Most people can't, so I'm glad that we have a solution like this for all 1Password.com members now. Helps me sleep better at night. Cheers! :)0 -
Hi Brenty,
thanks a lot for this response.
One question regarding the offsite backup is still open. Is it possible to restore a complete account with their vaults? Or is it only possible to recover item by item with the item history?
One example: I have a single subscription without the option that a team or familiy member can recover my account. Now I change my master password and after one or two weeks I'm not able to login anymore, because I forgot my new master password. If this happen, will it be possible to recover my account to the state of 1 or 2 weeks before? In this case it would be possible to decrypt the vault with my old master password.Do you know what I mean? In 1PW 4 I have a weekly backup of my vault. So I have several backup versions of my complete vault if my hard-disk will be faulty.
What are the retention times of the offsite backup (not only for item history)?
0 -
Hi Brenty, thanks a lot for this response.
@Finke03: You're welcome! Glad to help. :)
One question regarding the offsite backup is still open. Is it possible to restore a complete account with their vaults?
Not if you permanently deleted it from your account Profile page on 1Password.com. But let me know if you had something else in mind.
Or is it only possible to recover item by item with the item history?
No. You can restore each individual item only. We can consider adding a feature to do "bulk" restores, but I haven't seen requests for this...and I think we need to clarify what we're trying to accomplish. 1Password items changes are all done individually, both in the UI and transmitting to the server, so I'm trying to think of a scenario where you could get into a state where you'd somehow accidentally screwed up, say, all of your data...
One example: I have a single subscription without the option that a team or familiy member can recover my account. Now I change my master password and after one or two weeks I'm not able to login anymore, because I forgot my new master password. If this happen, will it be possible to recover my account to the state of 1 or 2 weeks before? In this case it would be possible to decrypt the vault with my old master password.
No. The data in your account is encrypted with your Master Password and Secret Key, so, for instance, if you change one or both of those, you can't go back in time to try to use the old Master Password. That could be something an attacker might exploit. It's important that if you change your Master Password because someone discovers it, they can't use your old one to get to your data. That's a limitation of local vaults and backups.
Do you know what I mean? In 1PW 4 I have a weekly backup of my vault. So I have several backup versions of my complete vault if my hard-disk will be faulty.
Ah, there is it. If your hard drive is corrupt the data won't checksum and the server will reject the garbage anyway. That's actually why we don't do local backups and use the server as the "source of truth", as restoring from them could have disastrous results when sending to the server, and we don't want a hardware or software failure on your computer to hose your data for all of your devices. That's a limitation of filesystem-based sync (like Dropbox) that we're happy to leave behind. As I mentioned earlier, consumer file systems and storage media suck.
What are the retention times of the offsite backup (not only for item history)?
At least 30 days, but it varies depending on the plan. 1Password Families and individual plans have one year; 1Password Teams Standard is 30 days, and 1Password Teams Pro is unlimited. :)
0
