How can I prevent 1Password to use any cloud service?

SimonXZ

Hi,

I upgraded to 1Password 7 and I was never asked how I want my passwords to sync. Now all have apparently been uploaded to agilebits servers for the NSA to have a look at. I am speechless. What a disaster! Now what? Why is there no prompt to only use WiFi sync?

Kind regards

Simon

Sheza

I didn't know the NSA could break encryption...

Stephen_C

You might try what I have suggested to someone else in a different thread, here.

Stephen

SimonXZ

Perhaps the NSA can‘t, perhaps they can. Who knows for sure. But they can make the any US company to hand over the data.

SimonXZ

Thank you Stephen_C

danco

@SimonXZ what were you doing before the upgrade?

Because the subscription service (version 6 or version 7) had always synced using 1password.com, it's one of the main features. And there hasn't been any change in vaults and syncing between 6 and 7.

But there's nothing to prevent you from just using the "Primary" vault (check the box under Local Vaults in the Advanced preferences) and performing the sync yourself. And you don't have to have a subscription, you can use a stand-alone licence.

SimonXZ

Thanx. Before v7 I was bought v6 from the app store without any subscription.
I strongly believe that they should be more transparent where things are stored when you set 1Password up. That is certainly missing. “1password.com” does not imply for me that things are stored on someone else’s computer.

Corey_C

Hi there @SimonXZ

The responses here have been correct. 1Password memberships have always stored data on our servers and synced through the 1Password.com/.ca/.eu service, depending on which one the user has chosen. If you wish to switch back to standalone vaults you can.

However, a couple notes about 1Password.com security both for you and for anyone else who is curious.

What sits on our servers for sync purposes is not actually your data, rather it is a blob of encrypted garbage that is completely useless to anyone but you. Your data is stored locally on your device. Before it ever leaves your device in order to sync, it is encrypted locally by your device. The encryption key is derived from two things. One of those things is your Master Password. The other thing is that Secret Key you've seen mentioned. Your Secret Key is a unique, 36-character string that your device generates when you first create your account. The encryption key derived from your Master Password and Secret Key has, at the very least, 128 bits of entropy. What this means is that it is infeasible for someone to break the encryption on your data, no matter how much money or computing power they have. It would simply take longer than any of us have left in this world.

In addition, you are the only one who knows your two secrets. Your Master Password and Secret Key are never transmitted to us in any way and we cannot access them, retrieve them or reset them at all. This means that if someone, such as a governmental agency, were to approach us and ask us to turn over our users' information, we would not be able to do so as we have no access to the encryption keys, only you do. In addition, if someone were to break into our servers, something that has never happened before but even if they did, the only thing they would get would be completely useless encrypted data that they had no hope of decrypting because, once again, only you have the keys to do so.

On another note. We are not actually a US company. AgileBits is a Canadian company based in Toronto, Ontario.

ref: EIY-29692-642

SimonXZ

Thank you very much for your extensive answer. I appreciate it very much.
I have one remaining question. If I access my blob of encrypted data through 1password.com, where is the decryption actually happening so that I see all entries in the web browser? Is the whole vault transferred and the decryption happens on my computer locally?

BTW: On a sidenote, Canada happens to belong to the 5 eyes. So, while perhaps not as bad as the US it is not really confidence inspiring either.

Corey_C

@SimonXZ

What happens when you load up 1Password.com to sign in through a web browser is that you are actually running a localized web app that makes use of WebCrypto and various other standards rather than viewing a standard web page. As always, all decryption occurs entirely locally on your machine. I'm sure one of our developers or security architects could go into more extensive detail if you wish. Otherwise, feel free to read through our Security Design White Paper if you want to get into the nitty gritty of things.