Safety of Data for Stand-alone version

Autodidact

I hold licenses to every version of 1Password for Mac (stand-alone) from 2 through 6. It appears that my data is not as secure as it could be because I am not paying for a monthly 1Password account to have what you call “the secret key.” This is also the answer to the multiple queries I made for “How safe is my 1Password data”. Answer (paraphrase) “The Secret Key kept on your machine gives it super-security.” There is no 
secret key for 1Password for Mac. So, my question is, is my data safe? If 1Password Account is much safer, is there price benefit for holding multiple licenses?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Lars

HI @Autodidact -- I guess there's a few ways to approach answering your question: is your data less secure because you use a standalone vault instead of a 1Password account. My first reaction - and I say this not flippantly but sincerely - is: have we ever had a data breach, in all the years we've had only the standalone model, before we launched 1password.com accounts? No. We have not. Of course, we're the first to tell you that no system is perfect and especially that security is a process, not a product -- but we're proud of that no-breach record, because it speaks to the security of users' 1Password data, even as we've gone from using the OS X keychain to our own Agile Keychain to OPVault format, and from 128 bits to 256 bits AES.

in the last few versions of 1Password, your data has been kept secure primarily by AES-256 encryption (also PBKDF2 and a few other things, but AES-256 is the linchpin). Decrypting your 1Password data requires an AES-256 unlock key. In the standalone version of 1Password, that key to decrypt your data is derived from your Master Password. Enter the correct Master Password, and the data is transformed back from ciphertext into readable text (it's more complicated than this, but that's the basic idea).

So what is the Secret Key and why did we add it for 1password.com accounts but NOT for standalone 1Password? You can read more about the Secret Key here, but to understand what it is, the Secret Key is nothing more than a randomly-generated alpha-numeric string of data equivalent to a minimum of 128 bits of entropy. It looks like it might be a product license key, but it isn't. It's generated on your own local device when you first sign up for a 1password.com account, and thereafter, it's also stored locally on your device as well (remember this; we'll come back to it a bit later). What does the Secret Key do? Well, in 1Password accounts, the AES-256 key that actually de/encrypts your data is derived not just from your Master Password (as is the case with local 1Password setups), but from combining your Master Password with the Secret Key. That means even the weakest Master Passwords will be at least a minimum of 128 bits of entropy.

However, while this means the AES key used to encrypt users' data in a 1Password account is very strong and very difficult-to-brute-force that doesn't mean local vaults that use only the users' Master Password to derive the AES-256 key are less secure, necessarily. From the very first version of 1Password, we have consistently told users and anyone else who would listen that choosing a strong, secure Master Password was the critical element in securing your 1Password data, and that remains true to this day - perhaps even more so today than when we first said it.

However, we know that, in the real world, not everyone follows - or even hears - our advice. The list of most commonly-used passwords is still filled with appalling clinkers like password123 and other such easily-crackable passwords. With 1Password accounts, WE now host users data (instead of users keeping their data locally on their own devices, and managing their own sync). One of the reasons we implemented the Secret Key for 1Password accounts is because we knew we needed to take precautions, such that if our servers that host users' data were ever hacked (even though we take great care, server-side, to ensure that does not happen), and hackers made off with users' encrypted data, that even those with the weakest Master Passwords would still be protected.

And with the Secret Key, they are. If a hacker were able to penetrate or bypass all the defenses we put in place on our server and obtain users' encrypted data, the Secret Key requirement ensures that even the weakest Master Passwords aren't only the easily-crackable password123 but instead the much safer password123 PLUS something like A3-VZ3FGT-YKOJRL-DKS36-FRZ9B-3HQSC-MFRTP. (note: please do not use the preceding Secret Key example for anything, now that it's been posted publicly). In other words, any adversary in possession of a user's encrypted data would require not only that user's Master Password (which we can't control, except within broad limits) but ALSO their Secret Key, which never leaves the users' device(s). In this way, we ensure the security of users' data even IF we get hacked and the user has used a weak Master Password.

When it comes to local 1Password setups, implementing the Secret Key would not appreciably strengthen users' Master Passwords, because - remember - it is stored locally on users' devices. That means: any adversary who was able to acquire your data by acquiring your actual device...would also be in possession of the Secret Key. If you have local vaults instead of a 1Password account, and you've taken the time to create a strong Master Password, you're as safe as you've ever been since you began using 1Password, which is to say: very.

All of that said, we do think 1Password accounts are more convenient and more reliable (no-setup offiste backups with individual item history, zero-setup syncing of data across all devices) than the traditional local vault model. The upcoming 1Password 7 will be a paid upgrade for all users unless you've purchased very recently, so you'll need to choose explicitly then whether you want to pay for an individual upgrade to your existing 1Password license, or whether it's time to switch to a 1Password account. I think the choice is a clear one, but we offer both avenues depending on users' preference. Let us know if you have any questions!

Autodidact

Thank you very much for your detailed reply.

Lars

@Autodidact - you're quite welcome! Feel free to drop by anytime if you have further questions. :)