To protect your privacy: email us with billing or account questions instead of posting here.

Can I use the subscription version of 1Password but only use Dropbox/iCloud sync?

Options
a2sheppy
a2sheppy
Community Member
in Memberships

I'm considering whether to buy a 1Password 7 license or subscription. I don't want to store my data on 1Password.com; instead, I want to keep using Dropbox and iCloud for sync (I have two vaults, one kept on each of those). Can I keep using those without having any of the vault data stored on 1password.com? I just want the subscription for other features like the family support (multiple installs, basically) and to keep it up-to-date over the long run.

Thanks!

1Password Version: 7.0.1
Extension Version: Not Provided
OS Version: macOS 10.13.5 beta
Sync Type: Dropbox and iCloud
Referrer: forum-search:Can I use only Dropbox sync and not the 1password.com account for sync?

Comments

  • Ben
    Ben
    Options

    @a2sheppy

    The short answer is yes, but you’ll be paying for features you won’t be able to take advantage of. There are things 1Password can do that are only possible if your encrypted data is stored on 1Password.com. So I think it might be worth discussing why you would want to do that?

    Ben

  • a2sheppy
    a2sheppy
    Community Member
    Options

    @Ben -

    So, this is mostly because I try to limit the amount of exposure sensitive data has online, and adding another place where I keep stuff does not appeal to me right now. I already have accounts I use to sync data, and would prefer to just use those instead of opening up another potential vector of risk.

  • jtucker
    jtucker
    Community Member
    Options

    @Ben

    The short answer is yes, but you’ll be paying for features you won’t be able to take advantage of.

    I laughed when I read this. You mean for @a2sheppy it would be a bit like how, with my 1Password.com membership, I will be paying for features I won't be able to take advantage of, like the Windows app and the Android app?

    Obviously, the cost of the membership was set to help cover all development costs, i.e. for all platforms. I don't know what the incremental costs for Windows and other things were, but they are certainly non-zero and I'll be paying for those things I can't use. :)

    (not meaning to hijack the thread, just commenting on the unintended irony in your reponse)

  • Ben
    Ben
    Options

    @jtucker

    I suppose there is some truth to that, but I see it a little differently. You’re not missing functionality that you’re paying for because you aren’t using every platform available.

    Ben

  • Ben
    Ben
    Options

    @a2sheppy

    I see. I suppose at least by going with a membership you’d have the option to switch later down the road if you decided to. I think it might be worth taking a read through our security white paper though before you decide.

    http://1pw.ca/whitepaper

    Ben

  • a2sheppy
    a2sheppy
    Community Member
    Options

    @Ben - Thanks for that link; I will have a look. I think the trick for me is that as an employee of a company that deals with web security issues (Mozilla), I see how often and how easy it is for a supposedly secure application or server to wind up breached. I'm sure you guys have done a great job -- I promise, I've used 1Password for ages, which I wouldn't have if I didn't trust it -- but I'm so painfully aware of the ease with which servers can be breached, and how easy it is for someone to make a mistake that, for instance, leaves test code in place that accidentally stores unencrypted bits of data somewhere with lower security, etc.

    And my 1Password database is so crucial that I keep it secure. With it, people have access to my entire life. Not even just my online life, but my offline one as well. With it, someone has access to my entire family's social security accounts, retirement savings, my driver's license number, all my credit cards, my passport, my health insurance, and so on. A breach could potentially ruin me. Totally ruin me. So I'm extra cautious with this data.

    I may at some point decide that I trust your server enough to switch to the subscription model. I hope that happens, in fact; there are huge conveniences there that I wish I had access to. But I am going to wait and see how things go for a while first.

    Eric Shepherd
    Senior Technical Writer
    MDN Web Docs
    https://developer.mozilla.org/
    Blog: http://www.bitstampede.com/
    Twitter: http://twitter.com/sheppy

  • AGKyle
    AGKyle
    1Password Alumni
    Options

    Hi @a2sheppy

    It's incredibly important to remember that 1Password encrypts your data before it's ever sent to our servers. Same thing it does if you were syncing with Dropbox or iCloud. The security of your 1Password data does not depend on the security of Dropbox or iCloud, and likewise, the security of your 1Password data does not depend on the security of our servers when using a 1Password.com Membership.

    In fact, there is an additional component that our 1Password.com Members get to use that our Dropbox and iCloud users do not get. We call it the Secret Key, and it's outlined in greater detail in the white paper, but I can give an incredibly quick overview here.

    When you create an account we generate a Secret Key for your account locally on device. It is never sent to us, just like your Master Password. It looks a little something like this: A3-KHPBYA-YSBZJJ-7JR66-QVV23-ZWRTR-VVMTS. These two items are combined to derive several keys necessary to access your account (via SRP) and gain access to other keys for encryption/decryption of data. An attacker is going to need both of these two sets of data. None of which we have.

    This isn't the entire story, as there's more to it under the hood, but to really overly simplify things, we can make a simple comparison:

    • If an attacker gains access to your encrypted data in Dropbox, they need to guess your Master Password
    • If an attacker gains access to your encrypted data on our servers, they need to guess both your Master Password and your Secret Key (together, not separately, they can't just guess one without the other).

    So the reality is that data on our servers is significantly more secure than it would be on any other service. Don't take this to mean that it's not secure on Dropbox or iCloud, it certainly is, but if you want the most secure solution, 1Password.com is it.

    I hope that helps a little bit, but I highly suggest reading the white paper linked above. It really hammers home a lot more of the gritty details and it does so in pretty easy to understand language. It's still technical but at the same time goes a long way to explaining things as well.

    You also had a statement which I'll quote:

    but I'm so painfully aware of the ease with which servers can be breached, and how easy it is for someone to make a mistake that, for instance, leaves test code in place that accidentally stores unencrypted bits of data somewhere with lower security, etc.

    I think I've tackled the first part about our servers being breached. Your security does not depend on that.

    But because your data is encrypted locally, we never have the opportunity to leave test code around that stores unencrypted data on the server. The server never decrypts your data and therefore cannot have the decrypted data. It doesn't even have the necessary keys to decrypt any of your data. All our server has is random gibberish that only you can decrypt.

    If you have any other questions please let me know!

    Kyle

    1Password Security Team

This discussion has been closed.