New Online Vault and Security

Hello All!

I've been a Roboform (RF) user for what must've been 10 years. Possibly just like a lot of previous users on this forum, I decided to give 1password (OP) a try thanks to (consider him your good friend XD) Paul Moore and his review on RF, in addition to his recommendation for OP. After ignoring his advice for years, my RF subscription is finally coming to an end and I'm ready to switch.

The guy didn't get a crazy amount of attention, but from these three articles, an important take-away for me was that RF's implementation of online vault (roboform everywhere online). After logging into the account and trying to access my password there, I would need to enter master password and the decryption is carried out on server, meaning that they will have my master password no matter how they will handle that information. Paul recommends OP because it did not have an online server, I believe, at the time when he wrote the article.

However, today during my initial contact with OP, it looks like OP has evolved and now hosts its own server in addition to a new subscription structure. So I opened an account for online vault, and surely, I have to enter my MASTER PASSWORD to enter my vault?!

In summary, my concerns are:

1) Why did you choose to make users use master password as the log-in password for online vault? I avoided LastPass for this exact reason. FYI, as insecure as RF's online server is, they at least offered the option to use a different password to log into the online account, and then use master password to decrypt passcards.

2) How is your approach different from RF (and possibly LastPass) in allowing users to access their passwords online? For example, for RF, I log into my online account (again, with a credential independent of my master password, which at least gives me a sense of higher level of security), then enter my master password when I want to check out each individual passcard (and again, they admitted that they would have to decrypt server-side, which is a loop hole in security for the users, to say the least). How is your approach different from the above mentioned approach? For an almost similar user experience between OP and RF, which is to log into an online vault and look up my passwords, how or why do you not have my master password?

To be fair, I have not imported all my passcards into OP vault so I cannot see the full picture here. Please consider this post both an inquiry and an education request.

Thank you for reading!
Sean

P.S. while I'm posting this, I thought I may as well post a separate question:

3) If I go with version 6 and your subscription service, will I still be able to choose to sync over my own cloud server like Dropbox or Google Drive, or maybe OneDrive (because of censorship I experience when I'm traveling to certain countries)?


1Password Version: 6.?
Extension Version: N/A
OS Version: Win10 Version 1607
Sync Type: Vault (for now)

Comments

  • brentybrenty

    Team Member

    @cs88rf: First of all, welcome! I'm glad to hear you've decided to give 1Password a try after all this time. Certainly making a change like this isn't trivial, so it's interesting to hear a bit of your history. :chuffed:

    1) Why did you choose to make users use master password as the log-in password for online vault?

    As you can probably imagine, a lot of people forget their Master Passwords; regardless of how many times we say "Don't forget your Master Password", it is unfortunately inevitable. So you might also imagine that having another password to remember is another opportunity to forget something important -- and that's why people are using 1Password in the first place: so they don't have to remember all of these! And having a separate password to protect the "online vault" is kind of meaningless, as this would be one of two things: a hoop to jump through not offering any additional security (if you can get the data another way with just the Master Password, for example), or a second password encrypting the vault encrypted with the first password -- which, at that point, you might as well just use a stronger single Master Password, which would offer the same security benefit but be less complicated to deal with.

    Now, I know you're probably going to have some objections there, but if you'll bear with me I'll explain what we are doing. It's actually similar to what you're asking for, with a few key differences that make it easier to deal with:

    • The Account Key is a second piece that's required for your account.
    • The Account Key is saved on an authorized browser/device, so that it doesn't need to be entered each time.
    • The Account Key can be accessed from an authorized device so that you can easily authorize a new one.
    • The Account Key is used to actually strengthen the encryption of your data.

    2) For an almost similar user experience between OP and RF, which is to log into an online vault and look up my passwords, how or why do you not have my master password?

    Sort of in the same vein, when you use 1Password, AgileBits never has access to your data, regardless of the setup you choose. Even with 1Password for Families, your data is encrypted on your device, so all the server ever ends up with is an encrypted blob. And since the Account Key is created locally, your Master Password is only known by you, and neither is ever transmitted, no one — including AgileBits — has the means to decrypt the data. That, to me, makes all the difference. You can read more details on how all of this works in our white paper, and don't hesitate to ask any other questions you may have! :)

    To be fair, I have not imported all my passcards into OP vault so I cannot see the full picture here. Please consider this post both an inquiry and an education request. Thank you for reading!

    Totally! Thanks for asking! :chuffed:

    P.S. while I'm posting this, I thought I may as well post a separate question:
    3) If I go with version 6 and your subscription service, will I still be able to choose to sync over my own cloud server like Dropbox or Google Drive, or maybe OneDrive (because of censorship I experience when I'm traveling to certain countries)?

    So far, it seems like people have better luck with 1Password.com than any of those, both with country and company restrictions, but to answer your question, you can still use local vaults alongside 1Password.com vaults if you wish -- with the caveat that the new Windows app currently has only read-only support for them. If you'll give me a better sense of what you're trying to do, I may be able to offer some more concrete suggestions. :sunglasses:

  • Thanks for your reply. I'm convinced and test started!

    Regarding question 3, I meant to use my own cloud service to sync the passcards, e.g. DropBox, Google Drive, or OneDrive. I got to know 1password with the perception that that can be done originally, but it looks like things changed with the new subscription model and version 6?

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @cs88rf,

    On behalf of Brenty, you're welcome.

    I got to know 1password with the perception that that can be done originally, but it looks like things changed with the new subscription model and version 6?

    Correct, to help simplify the 1Password experience, we've decided to do our own service, so that you don't have to worry about syncing, backups, and knowing various vault passwords to share with family members, guests, co-workers and more. You can find out more on why here: https://support.1password.com/why-account/

    You can still choose to use local standalone vaults for now but 1Password 6 for Windows is a brand new program that doesn't have full local vault support yet, you'll have to use 1Password 4 instead or wait until 1Password 6 gain support. We don't have a timeframe on when this would be done.

  • No worries. Using beta (or in this case, a fresh-start version that is rapidly developing) is within my comfort zone. Will stay with the newest version anyway =D

    By the way, choosing OP over dashlane (I was desperately deciding between these two) has very much to do with this awesome support forum. Keep it up! I hope to fully subscribe to OP before my trial ends. I'm currently digging deeper into the file conversion tasks and about to temporarily install RF 6.9 to export full URL.

  • Hello @cs88f I've been looking for a copy of RF 6.9 to get acces to full URL's (I have over 1600 logins from spending approx 15 years using the program).

    Where did you get your copy ?, annoyingly I've deleted all my old downloads.

  • cs88rfcs88rf
    edited January 2017

    @Daviduk Hi! I used OldVersion website here

    It was a relatively popular site and I saw suggestions for it elsewhere. But to be safe, I spent more time setting up a virtual environment to install and export all the passcards.

    I think RF changed their file format some time in 2010 (approximately when I upgraded to version 7), because on my computer there is a folder called "old format" under My Roboform Data directory. I disregarded this fact and it seems RF6 read most of the files created in RF7 after 2010.

    1600 logins are even crazier! I have 750 and am currently having problem with the conversion process. I used great converter made by great MrC but after importing the files, a lot of usernames and passwords lost their attributes and are now placed under notes section in OP. My last resort if this can't be solved would be to just leave them as-is and update each login the next when I visit a website. Please let me know your success rate among 1600 cards and I'll know if I'm doing something wrong.

    p.s. I started using RF about 10 years ago and no disrespect to OP, RF does have many neat features and is a more polished product imo. However, with security being to top priorities these days, I am just too afraid to continue my path with that green robot =(

  • @Daviduk MrC is awesome and updated converter v1.10 on a fly, and solved many of my issues. Give it a try!

  • GregGreg

    Team Member

    @cs88rf: Am I right to understand that you have managed to solve the issues you had and are all set now?

    @Daviduk: The data converters, created by great @MrC can be found here. If you need our assistance with moving your data to 1Password, please let us know. Thank you!

    We really appreciate your participation in the forums here. Without you it would not be this good. :)

    Cheers,
    Greg

  • @cs88rf Thank you, I will utilise a 16 year old laptop to install an old copy of RF, it wont be connected to the Net, just in case :-)

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @DavidUk,

    Always better to be safe than sorry. Make sure you delete and empty the trash after you're done, so no traces of the export file is left behind.

    Let us know how it turns out.

  • MrCMrC Community Moderator

    @Daviduk ,

    I have the old 6.99 version if you need a copy - let me know. I've doubled checked its checksums, so know it is the original.

    I've updated the converter suite in Testing Bits - the roboform converter more easily supports adding new Username and Password strings and patterns.

    I have some more work to do on it to support localization, but I'll do that later this week.

  • GregGreg

    Team Member

    @MrC: Hopefully, together we will be able to help @daviduk with the migration process. :+1:
    David, if you have any questions, please raise them in a reply. Thanks!

    ++
    Greg

  • @MrC Yes, a genuine copy of 6.99 would be great, I think I even have my old licence number somewhere if it needs one. Are you able to PM me on here for my email address ?

  • brentybrenty

    Team Member

    @Daviduk: I think it may be easiest to shoot MrC an email. You can find the address at the top of the convert_to_1p4.pl script in the converter bundle. Cheers! :)

  • @brenty Thank you, I can't download from that link at work, I'll email him tomorrow.

  • brentybrenty

    Team Member

    :):+1:

  • cs88rfcs88rf
    edited February 2017

    @Daviduk How has the conversion gone? Today is a good day. After more than a week of tuning (from MrC) and giving feedback (from me XD), the latest 1.10 in the testing bits folder works wonder for us RF users. Among my 750ish passcards, I only have a few left that I have to manually correct, because of the crazy field title used by RF. If you haven't already, or if you are not satisfied with the successful conversion rate of RF passcards, give the latest 1.10 a try! I'm a happy camper now waiting for more features to come to 1P :+1:

    BTW, I believe the more RF users test the converter, the better this converter will improve. As you mentioned you have twice as many passcards than I do, so your input in giving feedback to MrC would be very helpful!

  • MikeTMikeT Agile Samurai

    Team Member

    cs88rf :+1:

  • @cs88rf I haven't started it yet, I had a problem with my newly built PC so I've been troubleshooting that, it's taken all my available time when not at work... very annoying.

    I'm either working or "on call" for work over the next 4 days, but I'm hoping to crack on with the conversion soon. I'll update you (and the forum) once I've made my first attempt.

  • MikeTMikeT Agile Samurai

    Team Member

    Hopefully, it'll work for you when you do get that free time. Good luck!

This discussion has been closed.