Security = separation from iCloud / Safari passwords

Options
RobAW
RobAW
Community Member
edited September 2021 in Mac

I’m a very very long time user of 1PWD, on Mac, IOS, iPadOS. I have greatly valued the separation of the 1PWD database from iCloud/Safari passwords and it’s residence on local devices rather than the cloud . These days we subscribe to iPad families, etc.

However, as the 1PWD software functionality has increased, while I feel enabled by developments such as Safari extensions, I’m also more confused and frustrated in trying to understand the architecture. I’m particular, I worry that our data is more vulnerable now. In particular, I notice 1PWD passwords seem to now be among my Safari passwords …plus I can access our passwords via a browser, not just the device apps.

Bottom line is that I simply don’t “get” how this all works …or how I configure things to make the most of 1PWD sure that NONE of my passwords are accessible from any bad actor that cracks open iCloud.

Is there a really clear tutorial on this …one that doesn’t just guide me through some set up process but actually explains how this all works so that I can sleep at night?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Ben
    Ben
    Options

    Hi @RobAW

    1Password accounts do not use iCloud to sync. Instead they utilize our 1st party service. All data is encrypted on your device using your account password and Secret Key before the data is syncronized. This means only data protected by both the account password and Secret Key is stored.

    The Secret Key makes it such that even if a bad actor were to gain access to the 1Password service, it would be implausible (if not infeasible) to decrypt your data. Even 1Password employees who in order to perform their job functions have the highest levels of access possible cannot see what you're storing in 1Password.

    To better understand how this works I would suggest starting here:

    About the 1Password security model

    If you have any questions along the way we'll be happy to help. Thanks!

    Ben

  • RobAW
    RobAW
    Community Member
    Options

    Ben,

    Really appreciate the quick reply and the reminder about some of the security attributes of 1PWD.

    Sorry to dig in a bit but I should probably focus a bit more precisely on what alarmed me enough to join the forum yesterday and raise my concern yesterday. Having allowed the 1PWD extensions in Safari under iOS 15 / iPadOS 15, I now see that my iCloud/keychain passwords (located on each device under Apple’s “Settings / Passwords” now contain seven “1Password.com” records. One of these contains my 1PWD user name and 1PWD password, and another actually contains my Secret Key (though oddly shown as a user name field). I’m not an IT guy so this maybe still a comprehension issue on my part, but it definitely looks like all they keys to unlock my 1PWD account are right there in my iCloud passwords…and I did not knowingly put them there…I wouldn’t do that!

    Can you help me understand this?

    Thanks again!

  • Jack.P_1P
    Jack.P_1P
    Options

    Hi @RobAW,

    Is it possible you have iCloud Keychain enabled still? Either in iCloud settings or in AutoFill options? That would likely be the cause as how your 1Password information was saved into your iCloud Keychain.

    Jack

  • RobAW
    RobAW
    Community Member
    Options

    Jack,

    I definitely do (still have it enabled)!

    Over recent years, I've adopted a practical approach for us of using 1PWD as our "secure vault" and iCloud as my "not so worried vault" - if nothing else because it was a whole lot easier just to autofill shopping sites etc. from Safari passwords. I definitely had not realized that the two now cannot co-exist alongside each other in this way without compromising my 1PWD security...maybe I don't read instructions well enough!?

    If this is the case, it's going to be a real head-scratcher in terms of how best to resolve, though as right now neither 1PWD OR iCloud is the source of all truth for my many hundreds of passwords today...

  • brank
    brank
    Community Member
    Options

    @RobAW

    Yes, it's true that cloud-based password managers are less security and more vulnerable than local storage, but cloud-based password management is the future, and has been for quite some time, because it's not feasible to run a software company on a standalone license model anymore, and subscription-based models are facilitated by cloud-based vaults because of customer lock-in.

    It's still really good security, albeit not "great" anymore, so take it for what it is and enjoy it.

  • Jack.P_1P
    Jack.P_1P
    Options

    @RobAW,

    That would definitely cause the confusion you're seeing.

    While 1Password isn't able to directly import from iCloud Keychain, MrC's converter is able to handle exporting your passwords from iCloud Keychain into 1Password.

    I've moved your thread to the Mac section so if you have any issues with the converter tool, @MrC will be able to assist. :smile:

    Jack

  • RobAW
    RobAW
    Community Member
    Options

    Jack,

    Thanks for this. I will look into this option. Sorry to keep the conversation running but this has definitely thrown me for a loop since yesterday - there are now three thoughts I'm wrestling with in real time ...

    1. What would I lose in terms of user experience/functionality on Mac/iOS/iPadOS devices by having 1PWD as the single source of truth for passwords on my devices? I've never given that any thought to this point...had assumed I could just keep using iCloud/Safari/keychain for lesser passwords.

    2. If I DO then go to 1PWD only - *exactly how should I set all my settings on my devices so that I get this right and iCloud/Safari/keychain is turned off entirely? (BTW - sorry to be slightly whiney, but this guidance might have been helpful to 1PWD users from the 1PWD team at the outset.)

    3. If I DO NOT, how do I get my 1PWD passwords intoiCloud/Safari/keychain to let that be my primary password owner (while finding a local device only solution for my more secure items) - can I use MrC to achieve this?

    Appreciate the attention you're giving this - thanks.

  • ag_ana
    ag_ana
    1Password Alumni
    Options

    @RobAW:

    What would I lose in terms of user experience/functionality on Mac/iOS/iPadOS devices by having 1PWD as the single source of truth for passwords on my devices?

    You would just avoid confusion, and you would not have to worry about thinking where you have stored some particular password. I think overall you would just improve your user experience but using just a single tool.

    had assumed I could just keep using iCloud/Safari/keychain for lesser passwords.

    You can certainly do this, it will work, but there is no need to use two tools that do a similar job. Also, you would only be able to use these passwords on Apple devices and in Safari, while you can use 1Password in multiple browsers and on other platforms too.

    If I DO then go to 1PWD only - *exactly how should I set all my settings on my devices so that I get this right and iCloud/Safari/keychain is turned off entirely? (BTW - sorry to be slightly whiney, but this guidance might have been helpful to 1PWD users from the 1PWD team at the outset.)

    Here are the instructions for this:

    Set up AutoFill

    If I DO NOT, how do I get my 1PWD passwords intoiCloud/Safari/keychain to let that be my primary password owner (while finding a local device only solution for my more secure items) - can I use MrC to achieve this?

    I don't believe I have ever seen a case where the converter would be used to go back to Keychain, but an option is always that to export your data:

    How to export data from 1Password

    At that point, you can add your items to Keychain if you prefer, in whatever form or category you find more useful.

This discussion has been closed.