Subscription Service - Syncing - Data Security

I have 1Password 6. I recently signed up for an idividual account. After creating my account I moved my data to a vault within the account. I can view the data (and I assume edit the data) when I sign on to my account. I did not have an account prior and I synced my data with Dropbox across several devices. My questions: How secure is my data as stored within the account - this is my financial life? Should I continue to sync with Dropbox or is this now a redundant activity? With the individual subscription can I use 1Password as a web based service or do I need to install an run the standalone product on each device? What is the status of my standalone product license? If say two years from now I decide to stop the subscription service will I then need to purchase an upgrade to bring my standalone license current?

Thanks,


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • JacobJacob

    Team Member

    Hey @pampano! Glad to hear you signed up and got everything moved over smoothly. :) I'd be happy to answer your questions.

    How secure is my data as stored within the account - this is my financial life?

    The short answer is very secure. More secure than it was when you synced with Dropbox, in fact. There are actually three umbrellas of security in 1Password accounts. Before all of them is your Master Password and Account Key. In the standalone version of 1Password, everything is protected by your Master Password and all the security wizardry in the app. But in an account, the Account Key is used to strengthen things even further. If you have a weak password, it's very unlikely someone will be able to access your data because the Account Key is a 128-bit string of characters that's generated locally when you set up your account. It never leaves your device, and we ask that you print it out to have a copy in case you need it later — you're probably not going to remember the whole thing. ;)

    It’s great to have a Master Password and Account Key protect your data, but they also need to communicate with the server to access your data, so we use three layers to protect things at rest and in transit. The first layer is based on your Master Password and Account key, which are used to derive a secret that is used to securely encrypt all of your data, both at rest and in transit between your devices and our servers. The second layer is based on the Secure Remote Password protocol. It allows your devices and our servers to make sure they are who they say they are. This provides an additional layer of protection against attack. The third and final layer is the standard TLS/SSL protocol. This layer provides a final layer of encryption and also allows your web browser to indicate that you were communicating directly with a 1Password web server.

    If you'd like to read more about how 1Password protects your data with sync in general, we have a great knowledge base article with some more details:

    How 1Password protects your data when you use a sync service

    Should I continue to sync with Dropbox or is this now a redundant activity?

    There's not really a need to. It would mean you have two copies of data to maintain, and it would get confusing so I wouldn't recommend it. Also, if you move stuff to your account, the data in the account can't be synced with Dropbox since it's in the account. ;)

    With the individual subscription can I use 1Password as a web based service or do I need to install an run the standalone product on each device?

    Yes you can. From any modern browser, 1Password.com is available and you can sign in there to access your 1Password data. The only thing is, the browser extension requires the apps, so if you enjoy filling your passwords I would recommend sticking with the apps. They also add some really great features to the web interface, like enhanced search and native design for your platform. If you're signed in to your account in the apps, they work together to provide the prime 1Password experience.

    What is the status of my standalone product license?

    You still have it, and always will. You don't need it if you decide to use the service though, since that includes all the apps.

    If say two years from now I decide to stop the subscription service will I then need to purchase an upgrade to bring my standalone license current?

    Yes. I can't say what the details will be since two years is a ways out, but it be a paid upgrade to the latest version at that point.

    Hope that helps answer your questions! Let us know if you have any others during your trial. :)

  • Thanks for the very complete answer. Much appreciated.

  • JacobJacob

    Team Member

    You're most welcome. :) We're happy to help.

  • Hi,

    thanks a lot for this post, but I have similar questions to understand the security protection. I already read you white paper, but I think I need some additional explanation regarding the security of my vault behind an account.

    It’s great to have a Master Password and Account Key protect your data, but they also need to communicate with the server to access your data, so we use three layers to protect things at rest and in transit. The first layer is based on your Master Password and Account key, which are used to derive a secret that is used to securely encrypt all of your data, both at rest and in transit between your devices and our servers

    As I understand the Master Password and the Account Key will never leave the device. Instead a third key from the Master Pasword and the Account Key will be calculated and transferred to the server to decrypt the data, right? So I assume that the decryption will take place on server side and not on client side? That means that my data will be unencrypted available on server side during my session or?

    In addition my assumption is, that my data is decrypted by 1 Factor "the Master Unlock Key". So it should be the same security as a 128 Bit Master Password in the standalone version, or not?
    That means that an attacker will be only interested on my Master Unlock Key and not on my Master Password and my Account Key at all.
    So in the worst case the attacked can try to brute force my Master Unlock Key.......

  • JacobJacob

    Team Member

    @Finke03 Thanks for reading the White Paper. :) I'd be happy to clear this up.

    Instead a third key from the Master Pasword and the Account Key will be calculated and transferred to the server to decrypt the data, right? So I assume that the decryption will take place on server side and not on client side? That means that my data will be unencrypted available on server side during my session or?

    A third key is indeed created, but it's not used to decrypt the data. It's called the authentication key, and it's used for SRP communication to the server to get the encrypted data. The key is derived from both the Account Key and Master Password. This is covered more thoroughly in the "Deriving the authentication key" section of the White Paper (pg. 24). Once the data reaches the device, it's decrypted locally with the master unlock key. Which brings us to...

    In addition my assumption is, that my data is decrypted by 1 Factor "the Master Unlock Key". So it should be the same security as a 128 Bit Master Password in the standalone version, or not?

    The master unlock key is used for decryption once the data is retrieved from the server. However, this key is also derived from the Master Password and Account Key. You can't get the master unlock key with only one of those present, which is how it differs from the standalone design. For more details on this, I'd recommend reading the "Derivation of the master unlock key" section of the White Paper (pg. 21).

    Hope that helps clarify things! If you have any other questions, I'm happy to answer those as well.

This discussion has been closed.