Issues with using a local Primary vault simply for different Master Password
I plunged ahead with subscribing to a Family membership on 1Password.com and installing 1Password app on my Macs and iOS devices without doing much (read "any") searching and reading on your website. From past 9 years experience w/ 1Password, I simply assumed it would just work. After thrashing about for a day or so and reviewing Support Forum comments, I feel like I now understand how everything works.
IMO, and in retrospect, it would be great if you had a single article that described what happens when one converts from standalone to a 1Password.com Family (or Personal) membership written from the perspective of the user experience. Especially the fact that third party Sync solutions are no longer necessary, the impact of retaining one's Primary local vault (if you choose to do so), and the concept that one has to Create new vaults in 1Password.com, populate them from Existing local vaults then delete them. Also, explain the local caching of vaults under the various apps. I think I understand it all now, but it could have been way easier trip with a better guide.
Anyway, because my crispy new 1Password.com Family membership was to exist out there in the cloud, I dutifully created a long, somewhat tedious, Master password instead of the shorter, easier Master password on my local 1Password installation. Right out of the box, when first queried for my Master Password on my macOS installation, entering the Very_Long_Tedious_Master_Password several times got me nothing but errors. On a whim, I entered my old Short_Handy_Master_Password and Bingo, I'm in. Further confusion ensued when two Vaults previously shared through a Dropbox folder showed up as "ON MY MAC" and not "ON DROPBOX".
Whatever. I moved items from my Primary Vault to the Private vault, created new secondary vaults (one for each one my extant local vaults), moved the Items to the new vaults, deleted the old Vaults. Reviewed all the Preferences settings to see it they were appropriate and changed as necessary (new Items in Private vault instead of Primary Vault for example).
Everything was fine until I decided to delete my Primary vault which then made it necessary to use the Very_Long_Tedious_Master_Password again. Through the Support site, I found I could simply create a new Local Vault named "Primary" to hold the Short_Handy_Master_Password and no Items and I'm back to normal.
So, the question: I choose to use a somewhat simpler MPW on my Local (empty) "Primary" vault solely to make opening the 1Password app on my Mac easier and quicker. My assumption is that this poses no additional risk unless my MacBookPro is either stolen or otherwise physically accessed. Is this correct?
Further, the Primary Vault exists on, and is synced via, Dropbox as before so 1Password app will run the same for my user account on my wife's MacBookAir.
1Password Version: 7.0.7
Extension Version: Not Provided
OS Version: macOS 10.13.6
Sync Type: Dropbox
Comments
-
@jbthomson2 - I'm sorry for the rough ride you had; glad to hear it sounds as if you were able to sort it out eventually.
...it would be great if you had a single article that described what happens when one converts from standalone to a 1Password.com Family (or Personal) membership written from the perspective of the user experience.
Yeah, I'm sure it would -- and we gave a lot of thought to this. In fact, we do have at least one such article on our support site. But what's happening fairly frequently since the release of 1Password 7 for Mac is not just that people who were previously users of standalone 1Password are now switching to 1password.com accounts, but that they're doing it at the same time as upgrading from an earlier version of 1Password for Mac to version 7. And the problem we found with trying to write that article was: from the perspective of which customer? The one who's upgrading from a very old version of 1Password 5 for Mac? The one who's already a 1password.com user and just wants to upgrade his 1Password for Mac version? The one who's a standalone user sharing Dropbox vaults with family members who wants to get everyone upgraded to version 7 and switch to a 1Password Families account? The guy who's been using the Mac App Store version but wants to stay with standalone data in version 7? You get the idea -- we just couldn't come up with a way to make any such article brief, easy-to-understand, non-intimidating for the less technical user and also comprehensive at the same time.
Most of what we did for this dual-upgrade path (both 6 --> 7 and standalone --> 1password.com), we tried to bake into the process itself...and on the whole it worked pretty well for most people. But there are always edge cases, and that's what we're here -- in this forum and also via email -- to help people though, on a case-by-case basis.
The "happy path" for doing both of those things at the same time would have been: download the 1Password 7 for Mac app and run the installer. First run would check for the presence of existing data from earlier versions, and import it. User would be presented with a screen asking if they had an existing 1password.com account, and if not, whether they wanted to subscribe now, or purchase a standalone license. Once that choice is made, the previous version's data is imported into either a new standalone vault(s), or into the newly-created 1password.com account. But - as I said - this doesn't take into account a few edge cases, such as if you want to retain standalone vaults AND create a new 1password.com account, etc.
To answer your question, if you created a long, strong Master Password for your 1password.com account, but you've retained your shorter, easier-to-remember (and, presumably, crack) Master Password for a standalone Primary vault in your "home" Mac, then you're correct, unless someone's able gain either physical or remote access to your actual Mac at home, this doesn't lower your security. Data stored on the 1password.com server is actually more secure than any of our 3rd party cloud sync providers (Dropbox, iCloud) because of the Secret Key (something we can't implement on 3rd party servers). So if someone were to manage to breach our servers, they'd need to not only have your Master Password (which you presumably don't share with others) but also your Secret Key, which is never transmitted to us. But your local copy of your 1Password data that resides on your own Mac is protected only by the Master Password, just as it's always been. And because of the nature of "escrowing" the keys to any vaults/accounts you add into 1Password for Mac behind the Master Password of the Primary vault, if someone DID manage to gain access to your Mac, they'd have the keys to everything (literally, including your 1password.com account). It's an open question as to how much you think that actually affects or has the potential to affect your real-world security. Me? I'm one of those idiots cautious people who took the time to actually memorize a lengthy, randomly-generated password for his Master Password...but I don't expect other people to have the patience (or, in some cases, the capacity) to do the same, and to type it in each and every time they need to unlock 1Password. So if you consider your physical Mac pretty secure and safe in your home, then you're probably fine doing what you did.
0