Lack of Secret Key in standalone version means this licenced version is less secure?
Hello Agile Bits Staff,
I am using version 6 standalone, but let's apply the question below to version 7 too. I am about to pull the trigger on it.
After reading the information here (the information to the left of, and BELOW the bear), and here, I am now under the impression that the single license version of 1Password is less secure than the family or subscription versions.
I say this because the wording of the information provided implies that the Secret Key ups the encryption to 128+ bits as opposed to 60 bits.
I do realize that the Secret Key protects from brute force attacks on your servers, and that without the key, it would be near impossible to decrypt the data - if the data was ever stolen. This makes sense to me... but what if my data is intercepted while syncing to iCloud, or backups from iCloud Drive (as examples) while using the standalone version of 1Password that doesn't use the Secret Key (according to the information you have posted in the links above).
Hopefully, I am just confused by the complexity of the workings of encryption, and you can explain to me, in a way that I can comprehend, that I am wrong, and why.
Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
I am also wondering about iCloud Drive syncing... is that something that you advise against using? I am curious which data that gets synced.Let me explain what I mean, on my Mac, navigate to System Preferences -> iCloud -> iCloud Drive where we can specify which apps that store "documents and data in iCloud". 1Password 7.app is on that list. Spontaneously I feel that I don't want this checked? As I would like to manually setup my vaults on my devices using my 1Password secret key (and master password).
If I use iCloud syncing I have to trust that iCloud does not get hacked. Because Agile Bits already sync my items in my vaults between my devices.
So what is your official recommendation Agile Bits? :)
0 -
1Password's security model is designed so that it is not dependent on where you store your data. As long as you use a strong Master Password, your data is secure. The difference is that, with standalone syncing, the security of your data is more directly related to the strength of your Master Password than when using 1Password.com.
If you are using standalone syncing, in order to gain access to your data an attacker would need two things: Access to the sync service, be it Dropbox or iCloud, and your Master Password. Breaking in to, say, iCloud, is not an easy feat in and of itself. There are also extra factors such as 2FA and proper security of the login data for those services that contribute to it. If that is done, though, the security of your data is directly related to the strength of your Master Password. If you have a poor Master Password, then it would be substantially easier to decrypt. If you have a proper, secure and complex Master Password then your data is secure.
With our 1Password service, we wanted to take all the ifs and maybes out of the equation. We knew that our service would be a big target. We also know that not everyone picks the more secure Master Password, despite our best efforts to encourage it. So we developed a system where you have strong secrets forming the keys for your encryption right out of the box. In order to access 1Password.com data you need two things: your Master Password and the Secret Key. In order to acquire the Secret Key, they effectively need access to one of your devices and the ability to unlock 1Password on said device. The Secret Key alone, as you said, has 128 bits of entropy meaning that you have at least that amount regardless of what your Master Password might be. You could reach that with a strong enough Master Password but the Secret Key provides it right out of the box and a strong Master Password on top of it would only increase the complexity.
You are not actually saving any of your 1Password data in the iCloud Keychain if you are using a 1Password membership, even if you have that enabled. Certain details are stored in your iCloud Keychain to help restore access to your account should your devices lose it and various other settings and other stuff across devices. It's perfectly safe to use but, as with most things, you can turn it off if you'd like.
Hopefully I've outlined things well enough for the both of you. Let us know if you have any other questions. :)
0 -
Okay. The way I read you answer is this: The versions of iPassword that use a Secret Key are more secure if the user chosen master password is the same.
My next questions are these:
1) What versions of 1Password 7 use the Secret Key, and allow for wi-fi syncing? It seems that only subscription versions use the Secret Key.
2) Do any versions of iPassword 7 use a Secret Key, and allow for wi-fi syncing?
3) What type of syncing do you personally use?
Thanks,
Anthony0 -
Hey @DCIFRTHS
Rest assured that any version of 1Password you choose to use will be secure as long as your master password is sufficient, and our tool should provide enough guidance when setting it. There is no version that uses the Secret Key and allows wifi syncing, simply because that is not what the Secret Key was designed for within our security model. We recommend our 1Password accounts simply because it allows us to control the whole process, and like Corey said, a Secret Key was deemed necessary in this case. For other sync methods, ultimately the security of your vault is based on that cloud service and their security (as well as how secure your accounts for those services are). If you've got any further questions, feel free to tag any of us here.
0
