Local Vault

Hi,

thanks for updating the interface of 1password for windows, i have immediately subscribed after checking, great job. But unfortunately, it is impossible to open a local vault that we had on 1password 7. There are some passwords which we are not allowed to sync to cloud (for work), hence they must stay local, and personal passwords that I want to sync to cloud.

It would be very nice if opening a local vault on 1password 8. Is it planned or will not be possible ever?

Thanks.


1Password Version: 8
Extension Version: Not Provided
OS Version: windows 10

«1

Comments

  • Hi @benwade

    Thank you for your interest in 1Password 8. I understand the concern regarding the lack of standalone vaults in this version. In case it is helpful, I wanted to outline some of the important aspects of how we handle your data.

    1. 1Password always works from a local copy of your data. Data you enter is encrypted before it is saved into this local database. The database is stored on your computer, and syncs when you are online. This means you can access your data while you're offline (or in the event that we are offline).

    2. The Secret Key - This is explained more fully in our security white paper, but the short explanation is that if someone were to guess or bruteforce your account password, that still wouldn't be enough to get your data. The Secret Key provides a serious safeguard against this, and the mathematical complexity that it puts in an attacker's path is essentially insurmountable with current attack methods and hardware. It makes it such that even if someone could steal everything from our servers, they wouldn't be able to access any secrets you've stored in 1Password. This key is not available to us, either, so even in the case of a malicious employee with the highest levels of access, your data is protected.

    3. We put our trust in encryption rather than authentication. This is because, in short, "Encryption means that 1Password does not face the kinds of threats a largely authentication-based system would face, and we have used an authentication mechanism that defends against many of the threats faced by many other systems." You can read more about this, if you're interested, in our short guide here: https://support.1password.com/authentication-encryption/

    4. We undergo security audits and pen tests, which you can find here: https://support.1password.com/security-assessments/

    In short, we have made 1Password as secure as possible, keep the ability to unlock your data out of our own hands, collect nothing besides what's needed to run the service, and continually have our security tested for weaknesses.

    One of our founders, Dave, wrote about why we're moving away from standalone vaults and to membership exclusively, here. While of course you are ultimately the final judge of what's best (or perhaps even necessary based on policies etc) for your situation, I hope this provides some helpful context for how we're doing things now and going forward.

    Ben

  • Joshua Samuel
    Joshua Samuel
    Community Member

    I have the same issue as Ben - my employer has strict requirements for where their secrets may be stored, with strong regulatory and industry specific attestations required - beyond the SOC2 that you attest to.

    If you had a docker container / local server option - even if that server required a phone-home for licensing purposes- that would enable my continued usage of Version 8.

  • J.M
    J.M
    Community Member

    There's a survey in progress here concerning self-hosting : https://survey.1password.com/self-host/

  • Ben
    Ben
    edited November 2021

    Yep; indeed. Thanks for calling that out, @J.M! @Joshua Samuel I'd encourage you to participate in the survey. This will help us gauge the level of interest in such a solution, and help us determine feasibility.

    Ben

  • t0hvanah
    t0hvanah
    Community Member

    @Ben Will the 1Password iOS app be updated to version 8, or will a separate version be added to the App Store? I wish to stay on stand-alone, Wi-Fi synced, vaults for now in version 7. I’m concerned having app auto-update on will leave me stuck on the new version!

  • ag_ana
    ag_ana
    1Password Alumni

    @t0hvanah:

    Will the 1Password iOS app be updated to version 8, or will a separate version be added to the App Store?

    It will be a separate app in the App Store :+1:

  • davido1138
    davido1138
    Community Member

    @Ben

    Thank you for your summary.. however I should note that they are companies that are so stringent on their security policies that storage of company credentials or information anywhere that is not local computer storage or within their environment is a firing offense. That includes mine. And they have actually clearly stated that 1Password does not get an exception for this. That means that - as password and credential solution - no matter how secure 1Password is - with the change to a subscription only model we simply cannot use it at my company - and that's a total of about 60k engineers worldwide (last I checked).

    Please do consider providing a mechanism that allows for storage on local file volumes - even if that means requiring that the macOS app be installed.

  • @davido1138 thanks for this thoughtful feedback and the specifics of your use case. I have passed it along to our developers.

  • @davido1138 , I'd love to connect you with our specialist team to discuss this issue. Could you (or an appropriate decision-maker) email us at business@1Password.com with a link to this discussion? Our team members will be happy to connect with you!

  • ljohnston
    ljohnston
    Community Member

    Just learned of this decision to drop local vaults from 1password 8 and am so disappointed! I am in the same situation as many others here... my employer forbids storage of any passwords in the cloud. That made 1password a no brainer as I could use a local vault at work and still use the cloud for my personal stuff. Because of that support for local vaults, 1password was on the "approved" list of password managers at work. That approval will definitely go away - storage of passwords in the cloud is a non-starter. And we're talking about a company with well over 100,000 employees worldwide.

  • Hi @ljohnston:

    Thanks for your feedback here including your use case. Additionally, as my colleague Peter mentioned above, you, or an appropriate decision maker if necessary, can email us at business@1password.com with a link to this discussion and our business team would be happy to connect!

    Jack

  • zzzamboni
    zzzamboni
    Community Member

    I would like to add another vote for local vaults, and for the same reason cited by @ljohnston, @benwade and others. I currently use 1Password 7 with a family subscription for my personal stuff, and with a local vault for my work-related credentials, since my employer has strict policies about this. With 1P7 this is easy, but makes it impossible for me to migrate to 1P8. I hope you can reconsider the possibility of adding support for local vaults in a future version of 1P.

  • Hi @zzzamboni:

    Thanks for your input here. As I mentioned above, you (or an appropriate decision maker at your organization if necessary) can email us at business@1password.com and our business team would be happy to chat about this!

    Jack

  • jeroenn
    jeroenn
    Community Member

    I'm a bit confused about the use of 'standalone' and 'local' and the references to Dave's post. I understand the point of making everyone use subscriptions and I've had one for ages, but why does that mean we can't have a local vault?

    Anyway, I'd like to add a vote for keeping local vaults. I'm using the online version of 1password privately, but my job requires me to save my passwords offline. If I can't use local vaults, I'd have to use another service.

  • I'm sorry for the confusion caused. In some ways we've adopted the terminology folks have been using in order to facilitate the communication. "Local" isn't a word that I would choose to use in reference to standalone vaults, as it implies that the data 1Password is working with when using a membership isn't on your device. This is incorrect. 1Password always works from a local database, which is then synced with the server when you're online. It also implies that the data doesn't leave the device, which is also often incorrect, as folks more often than not used iCloud or Dropbox to sync their standalone vaults to their other devices.

    Vaults that are exclusively "local," and don't sync anywhere, are not part of our business model at this time. We have lots of experience with that, and after evaluating all of the pros and cons have decided that moving forward it isn't something we're going to support. There is still consideration for self-hosting the 1Password service, which may allow for most/all of the benefits of 1Password.com, while still meeting the demand for on-prem. There is a survey available on that subject here.

    Ben

  • blaukraut
    blaukraut
    Community Member

    I am really sad to hear that the 1 password team is dropping the support for the local vault sync in version 8. I have been using 1Password for 12 years now and was always pleased with it and I have recommended to colleagues friends and family. But if the 1 password team won't reconsider their decision I will stick with version 7 for now and will look for alternatives. If I am forced into a cloud solution I can use apples free keychain as well.

  • Thanks for being with us for so many years @blaukraut. Stay safe out there, and if you decide to give us another shot, we'll be here. :smile:

  • hotoutside
    hotoutside
    Community Member

    Agree with @blaukraut. My org is in the process of spec'ing a password manager rollout (we've got over 40k employees). My understanding is 1Password was a top candidate, but with this 1P8 announcement, we'd be unable to meet existing contractual agreements... Such a bummer/pain.

    Short version: we've removed 1P8 from the candidates list entirely.

  • I'm sorry to hear this, @hotoutside! As always, I'd be happy to connect you with our specialist team if someone at your organization would like to discuss our security model, how things work, and why large orgs with high security requirements are finding we present the strongest option.

  • ljohnston
    ljohnston
    Community Member

    As always, I'd be happy to connect you with our specialist team if someone at your organization would like to discuss our security model, how things work, and ...

    While I appreciate the offer, it is astounding how naive that statement is. There is no way - and I wouldn't even want to waste your time - that our company is ever going to change it's position on cloud-based password storage. And we're talking over 140K employees. While 1 password was on the approved list, it is no longer.

    I'm going to guess that the companies that @benwade, @hotoutside, @davido1138, @blaukraut, etc. work for are equally as unlikely to change their stance. This is just sad.

  • davido1138
    davido1138
    Community Member

    What @ljohnston said is correct. While you may 100 percent believe in your security solution (and I believe in it as well), my employer will not change this stance. And with good reason - everything is secure - until someone finds that one thing and then it’s not.

    Please consider providing a mechanism for creating a local storage vault.

  • Sounds like we're at an impasse, for now. Local vaults are not part of the plan for 1Password 8. The best I could suggest would be to fill out our survey on self-hosting of the 1Password service, if that would be a potential solution for your organization. These responses are reviewed by @dteare directly.

    https://survey.1password.com/self-host/

    Ben

  • jetboy
    jetboy
    Community Member

    Vaults that are *exclusively* "local," and don't sync anywhere, are not part of our business model

    I sync my local vaults myself or using the build-in sync-to-folder and WLAN sync to sync my iOS devices. But I don't think this counts under the above quote. I'd be fine running my own 1Password service, but that will be of no use if the apps stop working when the subscription ends (e.g., on an older machine that's no longer supported, or if the company gets purchased or goes out of business).

    I have a number of older machines around, running various versions of MacOS, that I use because the software on them has no good replacement or none that maintains the data (e.g., Quicken 2007). I can do this because the software is licensed and will continue to run, and my data is local. With a subscription model, if the subscription expires, or the service is discontinued, or I need to stick with an old version on a particular machine, I'm sunk. It stops working if any of these happen. Or, if the company is purchased or goes out of business, the software will stop working and/or the data becomes inaccessible.

    I need assurance that my software will continue to function and my data will remain accessible and under my control even if AgileBits is purchased or goes out of business. I'm happy to host a service on one of my own servers and do my own backups. I'm fine with paying for software but the software must continue to function even if I'm running an old, no longer supported version or the company is consumed by another.

  • I need assurance that my software will continue to function and my data will remain accessible and under my control even if AgileBits is purchased or goes out of business.

    I don't think that is a promise any software vendor can make, @jetboy, and it certainly isn't one I'm able to make. The nature of software is that in order for it to be viable long term it needs to receive updates. For starters, you’d essentially have to be “frozen in time” and not update either your operating system or your web browsers. That isn’t a practical solution in most cases. It is also a really poor option in terms of security, which is one of the core reasons to use 1Password in the first place. Otherwise it is very possible that an update from a 3rd party would be incompatible with the existing version of 1Password.

    The need to release frequent updates in order to maintain compatibility was one of the motivating factors behind moving to a subscription model. As an example, we just had to update 1Password 7 and 1Password 8 because Chrome changed their signing certificate, and so earlier version of 1Password can no longer connect to it.

    That said, we intentionally offer exports with open formats to ensure your data remains yours. This article (from 2013) is a little dated at this point, but the principal still holds true:

    You have secrets; we don’t, why our data format is public

    You can read about the 1PUX open format in 1Password 8 here:

    About the 1Password Unencrypted Export format

    the software must continue to function even if I'm running an old, no longer supported version or the company is consumed by another.

    I don't think that's feasible. It certainly isn't something I can promise with regards to 1Password, and frankly I wouldn't recommend trying to do so. In such a scenario the best course of action would be to export your data and migrate to an actively maintained solution.

    Ben

  • jetboy
    jetboy
    Community Member

    I don't think that is a promise any software vendor can make, @jetboy, and it certainly isn't one I'm able to make. The nature of software is that in order for it to be viable long term it needs to receive updates. For starters, you’d essentially have to be “frozen in time” and not update either your operating system or your web browsers. That isn’t a practical solution in most cases. It is also a really poor option in terms of security, which is one of the core reasons to use 1Password in the first place. Otherwise it is very possible that an update from a 3rd party would be incompatible with the existing version of 1Password.

    In my post, @Ben, I was talking about the unusual scenario where a machine is deliberately "frozen in time" for specific reasons, with examples of where it's necessary. I thought it was clear that I was not talking about a current, updated system. Obviously, older software becomes obsolete on such machines. That's elementary. I'm sorry I did such a poor job of explaining my point that you think I'm demanding something unreasonable or impossible.

  • I understand. That's not something that we can support or encourage, either. There's a lot of alternatives out there to Quicken 2007 that don't require you to run an insecure operating system. I know that's not what you are hoping to hear, but that's our position. At the end of the day we're a company that is heavily invested in the security of our customers, and using legacy y maintained software is incongruent with that. If you are intent on doing so then I would highly recommend that you disconnect such a machine from the Internet and use it solely for the legacy software that you're keeping it for.

    Ben

  • davido1138
    davido1138
    Community Member

    Sounds like we're at an impasse, for now. Local vaults are not part of the plan for 1Password 8. The best I could suggest would be to fill out our survey on self-hosting of the 1Password service, if that would be a potential solution for your organization. These responses are reviewed by @dteare directly.

    https://survey.1password.com/self-host/

    Done. Thanks @Ben

  • Thank you @davido1138. 👍️

    Ben

  • mikebore
    mikebore
    Community Member
    edited April 2022

    That said, we intentionally offer exports with open formats to ensure your data remains yours.

    I am generally pretty happy with 1P8, but am concerned about being locked in for ever, so the above quote is important to me. I have experimented with 1PUX exports from 1P8 and it was not a good experience (https://1password.community/discussion/126092/does-1password-8-change-local-backup-situation#latest).

    Are you saying that 1PUX exports are usable as import options by other apps if I ever wanted to change?

    Thanks

This discussion has been closed.