Will VPN make frequent "new" devices? Plus clearing cookies and local storage...
I'm trying out 1P V7 membership.
Questions:
I use a VPN frequently, so won't I appear as a new device frequently? Could get annoying assuming it uses IP address to determine device.
I use (and recommend) Cookie for frequent clearing of cookies and other web site local storage. Could that cause me to have to enter secret key frequently?
Finally, in any emergency, if I don't have the secret key, I'm in as much trouble in the membership scenario as the standalone scenario - either way I can't get to my passwords. Right?
Many thanks. Russ
ps. I assume I get one free month to play with the membership model, can I still decide to buy standalone at the current $49 price within that 1 month? (up until July 7?)
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:vpn
Comments
-
OK. I have had it.
I want you to kill and delete my V7 account, as soon as possible.
It isn't easy to do, as far as I can see.I want OUT.
This whole thing, predicated as "one password" has become "two passwords" plus a whole bunch of other junk I don't want or need.
How do I get out? I gave you a credit card, it was for a "free trial" of 30 days.
I've decided this is way too complex and I am on record as asking you to cancel my membership.0 -
Instructions for managing your account, including how to cancel it, are found on this web page:
0 -
I am a long time 1P license user and I also tried out a 1P 7 membership trial.
Using my 1P license version became much easier when I got my first MacBook touch - now I never sign-in to 1P until I happen to need it during the day, at which point I just touch to open it, then let it lock whenever I sleep my computer. Using the membership version immediately became much more complicated, since I had to copy (from where, if 1P is not already open???) my secret key every time I opened 1P. I also frequently delete my cookies, mostly to kill-off tracking cookies.
I ended up buying the 1P 7 license and I am very happy with it. I think the whole point of a password manager is convenience, and also, of course, zero knowledge security. I use a strong master password that I can remember. For me, using 2FA, or worse, entering a secret key that has to be saved on my desktop so I can copy it easily (reduced security!) undermines the convenience of a password manager.
I love 1P, but until AgileBits figures out a way to let me sign-in to a membership account with just my MacBook touchpad I will stay with the 1P 7 license version.
0 -
@rosswell - I'm sorry for the trouble you've been having.
I use a VPN frequently, so won't I appear as a new device frequently? Could get annoying assuming it uses IP address to determine device.
It does not, exclusively.
I use (and recommend) Cookie for frequent clearing of cookies and other web site local storage. Could that cause me to have to enter secret key frequently?
Potentially, yes.
Finally, in any emergency, if I don't have the secret key, I'm in as much trouble in the membership scenario as the standalone scenario - either way I can't get to my passwords. Right?
With a 1password.com membership, you will need your Secret Key anytime you sign into a 1Password app on a new device (or browser). If you remove all the local storage, you'll need to do this repeatedly with browsers, but only once with apps, on first run. If you use 1Password on any device you should have the Secret Key within each app. You can see it in 1Password for Mac, for example, by visiting Preferences > Accounts.
I assume I get one free month to play with the membership model, can I still decide to buy standalone at the current $49 price within that 1 month? (up until July 7?)
Not necessarily, no. The current launch special of $49.99 instead of the regular price of $64.99 lasts...however long it lasts. We were originally thinking anywhere between a week and a month, but nothing's certain except that when the launch special pricing is over, it's over. If you happen to finish a 30-day trial of 1password.com and decide you want a license instead and the special pricing is still in effect, you'll be able to get it for that price. But we're not guaranteeing a free 30-day trial AND discount pricing if you change your mind.
I want you to kill and delete my V7 account, as soon as possible.
@hawkmoth's link is quite correct -- you can delete your own account. We cannot delete it for you.
This whole thing, predicated as "one password" has become "two passwords" plus a whole bunch of other junk I don't want or need.
Not really. Yes, there's a second encryption factor for 1password.com accounts, but you don't need to remember it. You certainly shouldn't share your Secret Key with anyone, but each time you sign into a new 1Password app or browser, the Secret Key is stored for you, so you only need to remember your Master Password on subsequent visits.
I've decided this is way too complex.
I'd be happy to answer any questions you might have, and now that I'm monitoring this discussion, I'll be able to reply to you much more quickly.
0 -
I am a long time 1P license user...
You sure are, and you're awesome for it. Thanks. :)
Using the membership version immediately became much more complicated, since I had to copy (from where, if 1P is not already open???) my secret key every time I opened 1P. I also frequently delete my cookies, mostly to kill-off tracking cookies.
Yup, that's going to be a problem. If there's a way you can set the 1Password-specific cookies to be whitelisted by whatever app you use to do the cleanup, you can avoid this problem with browsers. Otherwise, you'll have to open 1Password for Mac and copy the Secret Key from either any Login item you have set up for your account, or directly out of Preferences > Accounts.
I ended up buying the 1P 7 license and I am very happy with it.Yay! We offer both because we know one size doesn't necessarily fit all. Glad you're happy with your license purchase.
To be clear, although I would recommend it, storing your Secret Key on your desktop isn't a significant drop in security of a 1password.com account unless you have a habit of leaving the file open and wandering off (or doing screen-sharing). The Secret Key is relatively easy to exfiltrate for any competent adversary, because it's stored in browser memory. The idea here is that standalone 1Password is as strong as your Master Password (well, and I suppose AES-256 also, but that's the strongest link in the chain). The idea with standalone 1Password was that even if you left your phone or laptop in a cafe and a skilled miscreant grabbed it, they couldn't break into your data because of the encryption and PBKDF2 -- and your presumably long and strong Master Password. In other words, it's designed with a worst-case in mind: someone's ALREADY gotten a copy of your data because they stole a device of yours. The question is: can they break it? And since 2006, the answer has continued to be: no.
With a 1password.com account, the Secret Key isn't designed to strengthen that model, it's designed to protect you against a breach of OUR servers. We go to great lengths to make sure your encrypted 1password.com data vaults can't be accessed by hackers, but here again, we design with a worst-case scenario in mind: we assume someone IS able to breach our servers and retrieve a bunch of user's encrypted data. Now, that data still does have all the strengths I mentioned above (AES256, PBKDF2, your Master Password), but the Secret Key's role is to add that 128-bit equivalent extra key ON TOP OF your Master Password, which puts it into the realm of the age-of-the-universe timeframe to brute-force. And the Secret Key is NEVER sent to our server, which means an attacker who gets possession of data from our servers would need to find the Secret Keys AND the Master Passwords of any data (s)he managed to grab. And the only place to get the Secret Key is: on devices you control. That's what it's for: to prevent US getting hacked, not you. If someone gets one of your devices, you have the same protection with a 1password.com account as you always did: your Master Password (and our encryption).
...until AgileBits figures out a way to let me sign-in to a membership account with just my MacBook touchpad I will stay with the 1P 7 license version.
Well, we're not really in control of that one. Apple has not released the APIs to have Touch ID on a Mac unlock specific apps. There are third-party apps that manage a version of it, but for us to do it, we'd have to store your Master Password somewhere in order for Touch ID to access it, and we're just not willing to do that. If we get those direct API calls from Apple, we'll definitely do it. But I'd call somewhere between unlikely and "no way" without them.
0 -
@Lars -
You said, regarding the Secret Key:
That's what it's for: to prevent US getting hacked, not you.
If I ever understood it this way, I've forgotten, so thanks a bunch for that explanation.
I was persuaded long ago that the encryption of my 1Password data is strong enough that it doesn't matter what sync service a user selects, be it local or cloud based. 1Password's security has nothing to do with that. I used to say, when I was much more active here, that the encryption is strong enough that a user with a strong master password wouldn't be any the worse off if the data found its way onto a public server.
0 -
@hawkmoth -- you're quite welcome! Everyone needs a refresher now and again -- us included. There's enough moving parts now that I don't think any of us have ALL of them immediately to mind at all times. The main difference is: we get daily reminders, all day long, when people have this or that issue. Keeps us sharp...ish. ;)
In truth, that quote isn't quite right: the Secret Key doesn't PREVENT us from getting hacked (our server defenses do that). It should more properly read: "That's what it's for: to protect you if WE get hacked, not if YOU do."
0 -
Lars wrote: Well, we're not really in control of that one. Apple has not released the APIs to have Touch ID on a Mac unlock specific apps.
Lars, I am able to unlock my licensed version of 1P 7 throughout the day with my Touch ID. Isn't 1P 7 an app? This lets me set my security so 1P 7 locks every time I close or sleep my computer, and then I can open 1P 7 and fill an ID and password whenever I need too with just my touchpad. If my data in your cloud is fully encrypted, and you never see my master password, why do you need a separate secret key to assure the security of my data in your cloud? Why can't you set up a subscription account so I can unlock it with just my Touch ID?
0 -
@fourwheelcycle - Arrrrgh. You're entirely right. And this is when I know I should stop for the day -- when I mess up basic stuff like this. Yes, of course, you can use TouchID to open 1Password on your Mac. What you can't do (and what I was mistakenly thinking of) is unlock 1Password on your Mac with your Apple Watch (if you have one). Apple Watch has the extra-cool feature of allowing users to unlock their user account on a Mac with certain setup requirements, but THAT'S the API Apple has not yet released to us, not this one. My apologies to you.
If my data in your cloud is fully encrypted, and you never see my master password, why do you need a separate secret key to assure the security of my data in your cloud? Why can't you set up a subscription account so I can unlock it with just my Touch ID?
This may have been part of what started my confusion. If you're opening 1Password 7 with Touch ID, what are you referring to here? Being able to sign in using a browser via Touch ID? Something else? Presumably, you have your 1password.com account signed in, in your copy of 1Password 7. If so, it opens when you unlock via Touch ID...right? What is it exactly that you're asking to be unlocked via Touch ID?
If my data in your cloud is fully encrypted, and you never see my master password, why do you need a separate secret key to assure the security of my data in your cloud?
Because not everyone chooses a very good Master Password, for one thing. We set a minimum limit of ten characters for a Master Password on 1password.com accounts, but that doesn't prevent someone from using
Password123(hey! Eleven characters! Sooper-secret!) as their password. Even a Master Password that's considered good is often usually only around 40 bits of entropy. The Secret Key exists in case our servers were ever to be breached; it means someone who's acquired your encrypted data in a data breach of our servers (or anywhere else except directly from your own device(s)), will need to get past the equivalent of at least 128 bits of password entropy (essentially unbreakable with today's computing resources) that exists from the combination of even the lamest Master Password with the long, strong, and TRULY random Secret Key.0 -
I am not talking about opening or logging-in to my subscription account. I am talking about unlocking my 1P 7 licensed version, which resides only on my computer.
0 -
@fourwheelcycle: Yep. 1Password for Mac has supported Touch ID since it was first introduced. I think Lars was just looking at the clock because it was almost dinner time, and his brain thought "watch" and his fingers typed "watch" instead too. :lol:
Regarding 1Password.com accounts specifically, while there's no way to enter account credentials via watch, Touch ID, etc., you can totally scan the Setup Code for your account using the camera to fill everything but your Master Password. I do. Cheers! :)
0 -
Brent,
As I noted above, I am a long time user of 1P and I love my licensed version. I am also a long time paranoid when it comes to storing my confidential info in the cloud, so I have always synced 1P over my home wifi network. I know it is not recommended but I have learned how to make it work OK for me. It took me a long time to become comfortable and confident with a few zero knowledge cloud apps, including Sync.com and the new 1P.com account. When 1P 7 came out I tried a trial of the 1P.com account and I was prepared to switch to it.
However, I found AgileBits' advertised 1P.com benefit that it is easy to sign-in from new devices to be very difficult to achieve. I frequently delete my cookies, mostly to kill-off tracking cookies, and I always use a VPN when I sign-in to web apps from motels and public spaces like airports. During my trial I needed to enter my secret key almost every time I signed-in to 1P.com and I simply could not find a convenient way to do this.
You said in your response that "you can totally scan the Setup Code for your account using the camera to fill everything but your Master Password. I do. Cheers!". I looked hard at your link but I am at a complete loss on how I could use a saved scan of my QR code to sign-in to 1P.com on my Mac after I have deleted my cookies or when I am signing-in over a VPN. The only way I can think of to save a scan is to print my QR code on paper, scan it with my scanner, save it as a password-protected PDF on my desk top, then open it and somehow use it to sign-in to 1P.com when I am asked to enter my secret key - but how could I do this?
This extra, and seemingly insurmountable, step required to sign-in to 1P.com after I have deleted my cookies (at home) or when I am signing-in over a VPN (on the road) stopped me from continuing with 1P.com. I did purchase a Mac license for 1P 7 and I am very happy with it, but I am still syncing over my home wifi network, which means I have to be very careful about creating new login items or secure notes when I am away from home.
I would love to be able to sign-in and sync with 1P.com when I am on the road (or after I delete my cookies at home) but I just can't figure out how to do it.
0 -
@fourwheelcycle - My suggestion would be to use your preferred brower(s)' cookies management policies to whitelist your sign-in domain. If you have an individual 1Password.com account, it is my.1password.com, if you have a 1Password Families or 1Password Teams account, the prefix will be whatever you created. The specific steps vary for different browsers, but here’s the steps for Chrome, for example
- On your computer, open Chrome.
- At the top right, click More and then Settings.
- At the bottom, click Advanced.
- Under "Privacy and security," click Content settings.
- Click Cookies.
- Under "All cookies and site data," click Remove all.
- Confirm by clicking Clear all.
Once you've "whitelisted" your sign-in domain in this way, you should be able to clear Chrome's cookies without blowing away your Secret Key. Give it a try and let us know. If it works and you'd like to switch back to a 1password.com account, we can certainly work something out with you regarding the purchase you already made of a standalone license: credit for your account, etc. Let us know!
0 -
Lars and brenty,
Lars- thank you for your response. However, I am a Mac and Safari user and I cannot find a way to selectively preserve 1P.com's tracking cookies, if that is the correct terminology. I think the SweetP's "Safari cookies" app might do this, but so far I have not wanted to learn, manage, and continuously update a new app just for 1P. In any event, this would not help me when I sign-in to sync 1P.com over a VPN when I am away from home.
brenty - It would be great if you could respond to my comment and possibly enlighten me on how to scan and (easily) use my setup code when 1P.com asks me to enter my secret key.
0 -
Lars- thank you for your response. However, I am a Mac and Safari user and I cannot find a way to selectively preserve 1P.com's tracking cookies, if that is the correct terminology. I think the SweetP's "Safari cookies" app might do this, but so far I have not wanted to learn, manage, and continuously update a new app just for 1P. In any event, this would not help me when I sign-in to sync 1P.com over a VPN when I am away from home.
@fourwheelcycle: You can remove cookies and other website data from the Privacy tab in Safari Preferences. A quick search in the box will find you what you're looking for. :)
Edit: I misread this originally. I guess you're trying to clear everything but 1Password. To my knowledge, that isn't possible. But it's totally possible to use a different browser (or profile) expressly for 1Password, and then clear the others instead. Let me know what you think.
brenty - It would be great if you could respond to my comment and possibly enlighten me on how to scan and (easily) use my setup code when 1P.com asks me to enter my secret key.
As I mentioned earlier, you can sign into your account in the apps by scanning the Setup Code with the camera. Is there a reason you don't use the app? It sounds like you do, since you mentioned using Touch ID above. It's just a bit confusing. Anyway, scanning the Setup Code works in 1Password for Mac, 1Password for iOS, and 1Password for Android. Hopefully we'll be able to add this to 1Password for Windows before long too. But again, while you will generally only have to enter the Secret Key that the first time you sign into a browser, if you're clearing 1Password's data there (or in the app) you'll need to do it again the next time. I hate to say it, but it sounds like you're (quite literally) going out of your way to making it harder for yourself. That's your call, but I'm afraid don't have any other remedy for that. You can't have it both ways. :blush:
0 -
brenty,
I am confused by your reference to apps. Is my licensed version of 1P 7 for Mac an app? I thought it was. If you are referring to iPhone apps, then I do not use apps - since I do not have or use a cellular phone. When I refer to Touch ID I am referring to my new MacBook Pro with a touchpad that includes a fingerprint ID feature. I also do not know how to scan the Setup Code (the QR code?) with my Mac's camera and then use the scan (by dragging it?) to sign-in to my (now ended) 1P.com trial on my Safari browser.
You say it is my choice to remove my tracking cookies, and you agree there is no way to preserve just 1P.com's tracking cookie (correct terminology?) in Safari. However, even if I stopped clearing my tracking cookies, or switched to a different browser that offered selective whitelisting, or began to use SweetP's Safari cookies app on my Macs, I would still have the problem that I could not easily sign-in to my 1P.com account while I am away from home and using a VPN on my Mac.
As I have said, I would prefer to use 1P.com (now that I am comfortable with your zero knowledge security features) but, for me, the extra step of entering my secret key each time I sign in is one step too many, since I cannot find an easy way to enter it.
0 -
You say it is my choice to remove my tracking cookies, and you agree there is no way to preserve just 1P.com's tracking cookie (correct terminology?)
Sorry to intrude, but just on that one point there is an excellent third party, paid (but reasonably priced) app called Cookie—which I which will do exactly what you want. I appeciate that may not address all your concerns mentioned in this thread but I thought it worth mentioning.
Stephen
0 -
@fourwheelcycle - I'm not a user of (nor have I experimented with) @Stephen_C's suggestion of Cookie, but if he says it will do what you've been describing here, I tend to believe him (and thanks for the suggestion, Stephen!). However, as you mentioned, even this will not change the behavior you experience when logging in via VPN remotely. To be clear, you've tried your remote-VPN setup, and found that you have to enter the Secret Key each time? Or you're just assuming that's the case? If you haven't actually got evidence from experience that suggests you're correct, I'd take the time to try it out and verify or disprove that idea, because the truth is that if that remains a problem for you, then we're pretty much out of ammo for you to try other solutions. You could return to a standalone setup, but that seems (to my mind, anyway) an extreme solution to the problem, if you're happily set up (otherwise) with a 1password.com account.
0 -
I have ended my 1P 7 trial and purchased the licensed version, so I can no longer pursue your suggestions.
0 -
Thanks for the update, @fourwheelcycle.
Ben
0
