Basic Qs about 1PW web-based vaults

Hi @ronread

Thanks for being a long time customer. :) I'd be happy to help you get up to speed with the latest and greatest.

From your previous answers, I understand that there is no added security risk with the website compared to DB or iCloud—Right?

The risks are perhaps slightly different in some respects, but no, I wouldn't say that there is any reason to be concerned about additional risk.

If I migrate my main vault to your site, will there still be a local version on my computer? And could I use 1PW offline with no problem? Yes, dumb Qs, but it's very important to me to have local, non-web-dependent access to PWs.

Yes. 1Password still works offline. It can't sync while you're offline, so changes you make on an offline device won't appear elsewhere, but you can otherwise work just as if you were online. Not a dumb question. This is a concern a lot of people have, which is why we designed it this way. :)

Related to above Q, are the automatic backups, found in the Prefs, still working for the web-based vault(s)? Also, unfortunately, I'm not sure of the BU frequency, although the pref pane mentions daily and monthly BUs, and there doesn't seem to be any way to set this manually (which isn't a big deal). Main thing is, I really need regular BUs that can be accessed and, if necessary, restored offline.

Could you please elaborate on that need? What would be the scenario you're trying to protect against? As discussed above, your data is cached locally, so you can access it even while offline. But I'd be interested to hear more about this concern. Are you backing up your computer regularly using Time Machine or similar?

Ben

If it isn't much hassle, I'd appreciate a brief summary of how different the 'equivalent' risks are, between using DB and your website.

• Your data is end-to-end encrypted using secrets only you know either way. With 1Password.com there is a layer of protection in the Secret Key in the event someone is able to gain access to your data via access to our servers, which isn't present with Dropbox. With Dropbox your Master Password is your only protection in such a scenario.
• Both Dropbox and 1Password.com offer a web interface that you can log into, and so there is a risk of phishing. E.g. someone could design a page that looks exactly like either dropbox.com or 1password.com and tricks you into entering your credentials into it. This risk is somewhat mitigated by 1Password itself, if you use it to fill your credentials into the web interface, but in the event you're using 1Password.com on a computer without 1Password installed you don't have that protection.
• There is also the potential threat that someone who is able to gain access to our servers could modify the code that is delivered to you via 1Password.com. In this scenario you'd be on the real 1Password.com but would be getting code not written by us. In this case an attacker could capture your credentials. This is mitigated by using the native apps, which are code signed, so they're tamper resistant. I imagine we'd love to do the same for the web interface if a standard for doing so is ever decided upon and made available in the major web browsers.

Understand about usability offline, aside of course syncing. Thanks for the reassurance.

Sure thing :+1:

Sorry about confusion concerning BUs. Actually, I have never actually needed a BU file, I guess my paranoid nature just makes me 'need' to know that the BUs are still available. And yes, I do regularly BU with Time Machine, so you're right, there should be several relatively recent BUs of the '.opvault' files.

No worries. 1Password membership doesn't use OPVault files, but yes, the cache would be included as part of your Time Machine backups by default.

Thanks for the quick and clear answers Ben.

My pleasure. :)

Ben