Should I Move Everything to Subscription Vault?
Hi,
I recently moved to a Subscription. I'm using it on Mac, iPads and iPhone.
I still have most of my passwords in two vaults that are shared via DropBox.
I'm pretty sure I'll stay with the Subscription, so should I migrate all the passwords from the local/DropBox vaults to the 1Password Subscription model? I'm wondering if there are any disadvantages to this.
Thanks for any advice.
Regards,
Patrick
1Password Version: 6.8.5
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
If I was you, I'd migrate everything over to the subscription. Even if in some point in the future you decide to unsubscribe then you can copy all of your passwords to an offline vault without needing to start afresh.
Advantages
- 1Password backs up all your data
- It's more resilient than Dropbox (no data conflicts)
- Passwords are much more secure (because of the Secret Key)
- Any hidden, structural changes to the 1Password database won't affect you
Disadvantages
- You're tied to a subscription - if you unsubscribe your account becomes read-only (plus export)
0 -
@darrenNZ - thanks! That is exactly what I needed to know.
On another note, I would kind of like to completely block web browser access but, yes, the Secret Key security is great.
0 -
When you say you want to "completely block web access", you know that you can?
The way 1Password works is that every time you connect to the internet the application checks for any changes to your passwords on the server and then it downloads the database to the device. If you have 3 devices (tablet, laptop, mobile) then you've got four independent copies of your data (the fourth being the AgileBits server).
By working like this it means that you always have access to your passwords even if AgileBits systems go down.
If for whatever reason you want to completely block web access you can, by blocking 1Password through your firewall. My suggestion is that you don't, unless you've got a very pressing need to, because if you forget to unblock it then your passwords will be out of sync. However if you want to do that, it's entirely your choice. :)
The Secret Key concept doesn't work with Dropbox hence why, when 1Password moved away from that model, the data security increase was tremendous. It makes sure that even a weak master password is at least 128 bits long and it prevents a hacker from guessing your master password. If a hacker were to try to brute force your database they'd have to try 1 password many billions of times (to exhaust the number of possible secret keys) before even moving onto their second password attempt. Totally infeasible.
To further secure things, the Secret Key is never sent to the server which makes it even more secure. Just make sure you never lose it!
0 -
@darrenNZ - really great reply, thanks!
(I'm familiar with how that works though wouldn't articulate it so well :-) – I'm in and out of ~/.ssh a lot for work projects.)
What I was meant to say was that I'd prefer for there not to be web browser access to my keychains via: https://my.1password.com/
I appreciate my browser device has to be registered via the secret key in the first place, so there shouldn't be a greater security risk. But old feelings die hard.
Either way, great reply, and thanks for taking the time!
0 -
What I was meant to say was that I'd prefer for there not to be web browser access to my keychains via: https://my.1password.com/
Understood @patrickgilmour
There's no way to hide your keychains or vaults from the "1password.com" site however if you're concerned about Javascript cryptography (which is a valid concern) then don't log in via the website. Change your master password through the 1Password native application and you shouldn't need to access the web browser again. This is about as secure as you can get it.
Even if a hacker had remotely compromised TLS and somehow captured your secret key and master password then, by changing your master password, they'd still be unable to gain access.
If I misunderstood your comment [and you were talking about extensions] then you don't need to use the 1Password browser extensions; they're entirely optional: but incredibly convenient.
I'm in and out of ~/.ssh a lot for work projects.)
Since you mention it, that's another benefit of moving entirely towards a subscription. 1Password now have a CLI tool which is only compatible with the subscription service. This is great for Linux although you can use it on Windows, macOS, FreeBSD, NetBSD, OpenBSD.
For the average user, or for a Linux GUI or for people using Chromebooks then 1Password X is a good alternative. Again, this is only compatible with the subscription service.
0 -
@darrenNZ - thanks for being such a stellar community member—I really appreciate all this great information!
I'll definitely do this:
There's no way to hide your keychains or vaults from the "1password.com" site however if you're concerned about Javascript cryptography (which is a valid concern) then don't log in via the website. Change your master password through the 1Password native application and you shouldn't need to access the web browser again. This is about as secure as you can get it.
Thanks!
0 -
Many thanks for the assist here @darrenNZ!
@patrickgilmour It looks like darrenNZ has done well answering your questions but if there is anything else we can help with please don’t hesitate to ask. :smile:
Ben
0
