Nervous about 1Password subscription vs. syncing vault with other services

After being a very long user of 1Password w/o being a subscriber, I decided to give the family options a try, as it seemed to make sense for various reasons. But now I'm wondering if it's a reduction in actual security.

Before using the subscription model, I really liked the idea that my 1Password data wasn't available simply by logging onto a website. I hate that all my passwords are available online via a web browser. When using Dropbox or iCloud, an attacker would need to compromise that account AND have my 1Password password. Seems like more work than all being bundled together. I wish the 1Password online access was simply for account management, and didn't allow access to actual passwords. Seems like this adds attack vectors, such as exploitable bugs could be found in browsers.

I also can't help but believe that the 1Password organization has easier access to my data, if it lives on their servers, my password is entered on their website, and when access to all my passwords is available via a web interface. Seems less risky if you use Dropbox or Apple to host the data, as no single organization is hosting the data and dealing with the password. While, obviously, there's a lot of trust necessary to use a close-sourced password manager, seems the trust is be even greater in this situation.

I really liked that U2F security keys can be used, but seems that the time-based app authentication continues to work too, so the security advantage seems a bit muted. I was also unclear, when signing in on an iOS device, the 1Password message says to plug in the U2F key (or you can cancel and use the time-based authentication app). Will the app work with a Bluetooth U2F key? Or do you have to use a key that physically plugs into an iOS device? I'm also unclear, can I delete my time-based app, and add several U2F keys to my account? Just a lot of details with 2FA that I don't see mentioned.

And how about adding an option for users to make 2FA required for EVERY 1Password.com log in? I guess I worry there are session cookies, or some other data, which could be exploited by an attacker.

I also realize it's possible to make mistakes adding accounts. It's my own fault, but at one point I mistakenly loaded my own 1Password data onto my son's iPad. I immediately used the "delete all data" and realized I needed to add his account a different way.

Do these concerns make sense? Is there any compelling argument having my passwords available on the 1Password site is actually more secure (assuming I'm using solid security on my other host)? Note that I'd rather have more security and less convenience, whereas I know some people prefer a different balance.

Finally, I've put a fair amount of effort into updating my family's Mac apps from 6 to 7, updating the vault types, and using the system this way with the free trial, assuming I'd move forward with it. But now I'm wondering how difficult it might be to go back to the model of using the purchased 1Password software, and syncing via Dropbox or iCloud. Is there a guide for converting back to that model? And if I do, I'm unsure if I will need to (or should) buy 1Password 7 for Mac to go back to how I was doing it before. Do I need to worry that stopping the trial will cause any confusion regarding the 1Password app I previously purchased for iOS?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • I also can't help but believe that the 1Password organization has easier access to my data, if it lives on their servers, my password is entered on their website, and when access to all my passwords is available via a web interface.

    To you the passwords are available via a web interface but they are not transmitted over the web. The only thing the server makes available to you is the encrypted package of your passwords (just as they are stored on iCloud or Dropbox as well, only with weaker encryption since there is no secret key). The decryption of your data is done locally on your machine, even if it is shown in the browser, the unencrypted data is never available „online“ and also your password and secret key are not transmitted to 1Password‘s server.

  • BenBen AWS Team

    Team Member

    Hi @SecretDude

    peacekeeper has provided a very good overview of how this works, and why it is a secure solution. Some other resources that may help in understanding how/why we do things the way we do, and how it is different than what most other services do:

    I also can't help but believe that the 1Password organization has easier access to my data

    That is absolutely not the case. We never have access to your encryption keys and as such cannot access the data you store in 1Password, regardless of where you store it.

    I wish the 1Password online access was simply for account management, and didn't allow access to actual passwords. Seems like this adds attack vectors, such as exploitable bugs could be found in browsers.

    You're right that browsers do tend to be fairly hostile environments. As such we'd recommend being very careful about what extensions you install. Whether you use 1Password or not malicious browser extensions have a lot of power... potentially including the ability to read your passwords out of websites as you enter them.

    1Password is one tool in the toolbox for increasing your security. Other good security practices are still required (e.g. having 1Password isn't an excuse to start clicking links in emails).

    I really liked that U2F security keys can be used, but seems that the time-based app authentication continues to work too, so the security advantage seems a bit muted. I was also unclear, when signing in on an iOS device, the 1Password message says to plug in the U2F key (or you can cancel and use the time-based authentication app). Will the app work with a Bluetooth U2F key? Or do you have to use a key that physically plugs into an iOS device? I'm also unclear, can I delete my time-based app, and add several U2F keys to my account? Just a lot of details with 2FA that I don't see mentioned.

    U2F is new and is still a work-in-progress. We support it for the 1Password.com web interface and in 1Password for iOS (via the Yubikey 5Ci key when connected to the device's Lightning port). Broader support across more of our apps will likely come as we continue to progress. Right now, if we didn't offer TOTP as an alternative, you wouldn't be able to use 1Password for Mac with your account, for example.

    And how about adding an option for users to make 2FA required for EVERY 1Password.com log in? I guess I worry there are session cookies, or some other data, which could be exploited by an attacker.

    You could potentially configure your browser to not store cookies / local data for 1Password.com in order to achieve this w/r/t the web interface.

    I also realize it's possible to make mistakes adding accounts. It's my own fault, but at one point I mistakenly loaded my own 1Password data onto my son's iPad. I immediately used the "delete all data" and realized I needed to add his account a different way.

    I'm not sure if there is a question or a suggestion here.

    Do these concerns make sense? Is there any compelling argument having my passwords available on the 1Password site is actually more secure (assuming I'm using solid security on my other host)? Note that I'd rather have more security and less convenience, whereas I know some people prefer a different balance.

    You're certainly right to be concerned about how your data is being stored and protected. I hope the information we've provided helps you make an educated decision on how to proceed.

    Finally, I've put a fair amount of effort into updating my family's Mac apps from 6 to 7, updating the vault types, and using the system this way with the free trial, assuming I'd move forward with it. But now I'm wondering how difficult it might be to go back to the model of using the purchased 1Password software, and syncing via Dropbox or iCloud. Is there a guide for converting back to that model? And if I do, I'm unsure if I will need to (or should) buy 1Password 7 for Mac to go back to how I was doing it before. Do I need to worry that stopping the trial will cause any confusion regarding the 1Password app I previously purchased for iOS?

    If security is your primary concern I absolutely wouldn't recommend using retired software that is no longer being updated, such as 1Password 6. If you want to revert to the standalone model that is certainly your prerogative but I'd still recommend keeping everything on 1Password 7. Licensing the apps for usage that way will almost certainly be more expensive than 1Password Families membership, but if that is what you're comfortable with, you can do that.

    As you might imagine, being a 1Password Team Member, I'm also incredibly concerned about my information security. I use 1Password.com, and don't use any standalone vaults (except for testing / customer service). I'm personally much more comfortable with that than with syncing my data via a 3rd party solution.

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Ben

  • Thanks for the detailed response. Good to understand the passwords are not transmitted over the web. I'll look through the links and see if I have any other questions.

  • brentybrenty

    Team Member

    On behalf of Ben, you're very welcome! We're here if you have any other questions. :)

  • I haven't yet had a chance to read through the links, but is there an explanation of how the following works, securely? Just helps me feel better to understand how it works.

    I created my 1password.com account with a brand new password. Then I linked my existing 1Password app account to the web account (different password). And now I can access all my passwords on the website, w/o ever giving the website the password I used on the app.

  • BenBen AWS Team

    Team Member

    @SecretDude

    The guides above speak mostly about 1Password accounts, and not so much about standalone vaults, so I don't suspect you'll find a direct answer to that there. The question is really more about how the 1Password apps operate when both a standalone vault and a membership account are in play.

    The way the 1Password apps unlock is:

    1. If a Primary vault exists then unlock using the Master Password for that vault, regardless of what, if any, memberships are signed in
    2. If a single 1Password membership is signed in then unlock using the Master Password for that membership account
    3. If multiple memberships are signed in then unlock using the Master Password of the first added membership

    These are each exclusive scenarios. For example, if multiple memberships are signed in, you cannot unlock 1Password using the Master Password of the second account that was added. You'll always need the Master Password for your membership in order to sign into the 1Password.com website.

    Does that help explain what you're seeing?

    Ben

  • I appreciate all your time, Ben. This is great info, but I actually was wondering about how it works under the hood. Is it possible to explain how I can access my passwords that have long-lived on just the 1Password app using a pre-existing master password, but now I can access my password data on 1password.com with a new master password? I never explicitly gave the website my app master password, but I would guess that at some point I allowed some secret info to pass from my app to your servers. It it possible to explain how that works (securely)? I have a very basic understanding of cryptography and hash functions. You're welcome to point me to another URL if this info is already posted. Thanks!

  • BenBen AWS Team

    Team Member

    Is it possible to explain how I can access my passwords that have long-lived on just the 1Password app using a pre-existing master password, but now I can access my password data on 1password.com with a new master password?

    During the migration process (which would've happened when you signed into your account in the app) a copy of your data was made by the app in a new 'Personal' vault within your membership using the encryption keys for your account.

    When you delete the Primary vault, which we recommend doing, your apps will unlock with the Master Password of your account.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file