Access passwords from offsite

I use 1Password as my password manager at work. Occasionally I need to access the secrets contained in it when I'm not at work (e.g. today when my son was sick & I didn't have my work computer, but I was trying to work from home). I can VPN into the work network, but not access my work computer (which is a laptop that goes to sleep and becomes inaccessible).

I thought - no problem, I'll rsync the vault to some company server where I can turn on web access, and use the HTML serverless app to access my passwords. This is how I found out "1PasswordAnywhere" is now gone. =(

What can I do? It would not be acceptable for me to upload all my secrets onto a server hosted by AgileBits (even encrypted), nor would it be acceptable to download all my secrets to my home computer. I only want to be able to access the specific passwords I require, from a remote server, just like "1PasswordAnywhere" did. Perhaps technologically the difference doesn't seem huge, but to me it's the difference between explaining to my company that I downloaded/uploaded all my secret information to an untrusted machine, or that I didn't.

Is there some solution someone could recommend?

My understanding is that the available "1Password.opvault" sync requires me to use the full 1Password desktop application with a full download of the vault on the local machine, correct? That would violate the "don't download the vault" rule, so it wouldn't work for me.


1Password Version: 6.8.2
Extension Version: Not Provided
OS Version: OS X 10.12.6
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member

    Hi @Ken Williams

    Thanks for taking the time to write in.

    The official recommendation here would be 1Password membership. I understand your concerns about storing your secrets on "some server." Fortunately 1Password membership doesn't do that. Now, let me explain what I mean by that, because of course it appears to do exactly that.

    When you create a 1Password account you create a Master Password, and are generated a Secret Key. Both of these items are used to encrypt your data, and are never known or stored by AgileBits. Encryption takes place before any data is stored. You can read more about this here:

    About the 1Password security model

    And if you want to get into some of the nitty gritty details further explanation is available in our white paper:

    1Password Security Design White Paper

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Ben

  • Hi Ben, I do understand that the data is fully encrypted before it gets to the AgileBits infrastructure, and that in theory there's no way AgileBits could recover the data. But it's false to say the data isn't stored on the AgileBits servers.

    If I'm wrong about that, please tell me - your opening paragraph certainly seems to be saying that the encrypted data never hits AgileBits' servers. If that's false, please don't say it!

    I trust the encryption, but that's really irrelevant here. I can't say to my company, "I put all these secrets on an external server, but it's okay because I trust the encryption." Nope.

  • brentybrenty

    Team Member

    If I'm wrong about that, please tell me - your opening paragraph certainly seems to be saying that the encrypted data never hits AgileBits' servers. If that's false, please don't say it!

    @Ken Williams: Ben didn't say that. All data is encrypted locally on your device, so all the server receives is an encrypted blob.

    Hi Ben, I do understand that the data is fully encrypted before it gets to the AgileBits infrastructure, and that in theory there's no way AgileBits could recover the data. But it's false to say the data isn't stored on the AgileBits servers.

    We may have to agree to disagree here, but neither you, your company, malicious hackers, nor government agencies can do what you say, either in theory or in practice. That's why we're all using 1Password in the first place. Apart from our own efforts, we participate in external audits and independent security researchers, so this is much more than mere words: our livelihood and reputation is on the line every day. So we do take this pretty seriously.

    I trust the encryption, but that's really irrelevant here. I can't say to my company, "I put all these secrets on an external server, but it's okay because I trust the encryption." Nope.

    We don't have your secrets no matter what...but the confusing thing is that, regardless, what you're trying to do does seem to go against the principle you're talking about here:

    I'll rsync the vault to some company server where I can turn on web access, and use the HTML serverless app to access my passwords. [...] It would not be acceptable for me to upload all my secrets onto a server hosted by AgileBits (even encrypted), nor would it be acceptable to download all my secrets to my home computer.

    If your home computer is considered a "trusted machine", then this is no problem: you can simply sync your data there. However, if it is considered untrusted (which you seem to be saying), it seems like you would be violating company policy by accessing this data — and therefore storing it, even temporarily — on your home computer. You just can't have it both ways, so in that case it sounds like all of this is moot. :(

  • The differences may not be important to you, but they are important to me.

    I do believe in (and understand) strong encryption, and I believe you when you say you can't decrypt the data in your possession (which is really all the Law Enforcement document you linked to says). I also believe that I couldn't decrypt the data in my possession without knowing the keys, nor could an intruder who gets my 1Password files.

    However, there is still an important difference to me between storing my vault somewhere, and not storing it there.

    I would go another round of point-counterpoint here, but it doesn't sound like we'd get anywhere. My question is answered - there's no way to usefully access my secrets on a server I control, the way I used to be able to with your 1PasswordAnywhere. I'll continue to use 1Password at home, where I don't have to square my choices with anyone's policy, but for work I'll see whether I can find similar functionality in a different product.

  • BenBen AWS Team

    Team Member

    Understood. Thanks Ken. :)

    For what it's worth, we do offer a 1Password Teams service, which has been adopted by companies of all shapes and sizes, including a number which are extremely security and privacy conscious. The same technologies offered in that service are what are used for our individual and 1Password Families offerings.

    Ben

  • Yeah. If your workplace is open to a cloud-based storage solution, This is easy-peasy, this product or another. if they aren’t there’s no argument in the world that won’t get you canned or told to sit down. Tech details just wont trump political ones in some environments or in environments that are strongly policy driven (even if its insane. Where I am we use a similar product, so I can use this one. But make no mistake about it, only my personal secrets or personal corporate secrets are in it. Not the shared corporate ones.

  • BenBen AWS Team

    Team Member

    I can see that perspective, @AlwaysSortaCurious. Thanks for sharing.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file