Moving Beyond 1PasswordAnywhere discussion

1234568»

Comments

  • dtearedteare Agile Founder

    Team Member
    edited August 2016

    Hello again @RichBT :)

    I don't really have anything to add but I wanted you to know I read your messages and appreciate you following up with us.

    The OPVault format is pretty awesome. The faster sync times and authenticated encryption are my favorite enhancements, but as great as these are, I found it hard to write a newsletter about it.

    Maybe someday I can segment our list and send out multiple newsletters but for now it's one large list. I like it that way for simplicity's sake, and, quite frankly, I have enough trouble writing one newsletter every month let alone two :)

    @Ruarl: thank you for your trust. I agree the perception is indeed poor as the timing was lousy, but again, we didn't change anything so we weren't in charge of the timing. That makes it hard to coordinate :)

  • The loss of 1PasswordAnywhere means that there is no longer a solution for any operating system other than the meager two supported ones. The fact that I could get access to my vaults previously, in a supported way, on unsupported systems was one of the original selling points for me. That's a big part of why I bought into your ecosystem to begin with and have stayed with it for as long as I have. As far as I'm concerned, this is a major loss of functionality.

    I don't begrudge you the cost of an upgrade. You folks obviously once had a very strong understanding of my needs and of the needs of the security conscious. However, it would appear as though your corporate values have now shifted away from that and that's disappointing. It might be the right thing for you folks corporately, which might look like greed to some, but it's moving you further and further away from addressing my needs.

  • khadkhad Social Choreographer

    Team Member

    @teamnoir,

    I just replied to your post about this in another thread. I hope you will forgive me for simply quoting what I wrote there, but I believe the answer is the same:

    Dropbox removing the ability to run 1PasswordAnywhere on their servers is not related to debut of optional 1Password subscription plans in any way. The timing — while unfortunate — was entirely coincidental. That said, 1PasswordAnywhere still functions if you run it locally. Put a copy of a vault in the Agile Keychain format on a USB flash drive (which I would presume you would prefer to Dropbox anyway, since Dropbox is a cloud hosting service). Then you can access your data in a browser locally.

    Alternatively, folks can sign up for a 1Password account and have full (read and write) access to your data on 1Password.com, but you've already mentioned you're not interested in that.

    For anyone else coming across this discussion, I do want to point out that 1Password accounts all have an additional, non-optional factor to keep your account secure. We call it the Account Key, and it's a 128-bits random string of letters and numbers. It is combined with your Master Password to harden the encryption. It is impossible to decrypt the data without the Account Key, and 128 bits is uncrackable in the age of the known universe. Learn more about the Account Key.

    If you have any other questions or concerns, please don't hesitate to let me know.

  • I've just hit this issue now at a point where I wanted to fetch a password while I was at work.

    I had to uninstall Dropbox from work, because company policy changed. As a result, 1Password's sync from Dropbox no longer works. Why it can't contact the Dropbox web site is anybody's guess. But in any case, because it uses the local filesystem, and Dropbox is no longer syncing that, it's no longer possible to sync using Dropbox. My personal iCloud account is not registered at work either, for obvious reasons. I can sync to a folder, but it's not like I have the sync in a folder. If I did, I could just open 1Password.html from there, and that would presumably work.

    The suggested solution I saw on the original post is to use the phone app... but 1Password has encouraged creating very long passwords, so basically you're telling us that manually typing in 50-character long passwords is okay. It really isn't. Another horrid workaround would involve copying it from 1Password into Notes or something that does still sync to somewhere I can copy it from, copying it out of there and then deleting it again. Quicker than typing in 50 characters - but not as secure. Then there is presumably the "Run a Wi-Fi server from the Mac" option, which I guess works for emergencies like this... but I have to disconnect my normal wifi access every time I want to do that, because iOS can't connect to more than one at a time.

    Really a better solution is wanted. Or rather, an acceptable solution is wanted, because the current ones just aren't.

  • khadkhad Social Choreographer

    Team Member

    Hi @trejkaz,

    I'm really sorry for the interruption to your workflow. It sounds like corporate restrictions are now preventing you from syncing with Dropbox.

    A 1Password.com account may be just the ticket. It keeps your data up to date without using a third-party sync service. Learn more about 1Password accounts.

    Alternatively, you could use the Folder Sync option on a USB flash drive or the WLAN server. If corporate restrictions don't prevent you from using the WLAN server on the company network, you should be able to sync without switching networks. Just connect both your Mac and mobile device to the same network to sync.

    If you have any additional questions, please don't hesitate to let me know. I'm sure we can get things working well for you if we know some more details about your situation.

    Cheers!

  • I am trying a 1password subscription to see if it can replace 1password Anywhere, and I am still confused about something:

    Are we expected to always have access to the Account Key in order to access from a new device? What is one to do in the case of a true emergency, e.g., while traveling? Is one expected to memorize the key, and is there any way to change it?

    A few years ago, through some very unfortunate circumstances, I needed to access my vault while I did not have access to my computer, phone, wallet, etc. 1password Anywhere totally saved me; I would have been totally screwed without it. Am I correct in understanding that there is no way I could do this now, unless I have my Account Key memorized?

    I feel a bit shaken to discover that I no longer have this safety net that I used to rely on. I'm sure that requiring the Account Key makes the 1password web interface much more secure than 1password Anywhere was. But the personal measure of security that I felt knowing I could access my vault in an emergency was a MUCH more valuable security feature to me.

    If I could change the Account Key to be my own 40 character long string, then I could make it something I would remember. This would give me the same setup I had before, where I effectively needed two passwords (one for Dropbox and one master password). But it seems there is no way to change it, and I'm not optimistic about trying to commit it to memory.

    Is there something I'm missing, or am I indeed losing an important measure of personal security with a 1password subscription that I used to have with 1password Anywhere?

  • khadkhad Social Choreographer

    Team Member

    Good questions, @alkalifly.

    As you correctly pointed out, the Account Key dramatically increases the security of your 1Password account. Your Master Password is the bit that you are supposed to know. Allowing folks to change their Account Keys would completely defeat the additional security the Account Key provides. The good news is that you don't need to memorize your Account Key. It's not intended to be memorized.

    You can use any authorized device to authorize a new one (since the Account Key is stored on each authorized device). If you lose access to all your devices, you can use your Emergency Kit. That's why it's important to save your Emergency Kit and store it securely:

    • Print a hard copy or store it on a USB flash drive. Don't store it online or email it.
    • Fill in your Master Password. In an emergency, you or your loved one will be glad to have all your account details in one place.
    • Keep it somewhere safe, like with your passport or birth certificate.
    • Give a copy to a trusted loved one, like your spouse or someone in your will.

    It sounds like you may be more comfortable keeping a copy of your Emergency Kit (or even just your Account Key) in your wallet or purse.

    Learn more

  • Thanks, @khad, for the suggestions. Unfortunately, none of them restore my sense of security, because none of them would have helped me in my previous situation. If I'd had a copy in my wallet, it would have been inaccessible to me, as was my phone, laptop, etc.

    I'm looking for a full on emergency solution. Something that would work even if I washed up on shore from a shipwreck or woke up in a dark alley without even the clothes on my back. Something where as long as I can remember one or two passwords, I would not need any material items such as a phone or a piece of paper to get to my vault.

    Have any users come up with any solutions for this? Is anyone storing their Account Key online in some secure-yet-accessible way? Perhaps a password-protected PDF in Dropbox? I know that this would compromise some of the account security that's part of the 1password system, but my vault would still be protected by my master password. As long as I'm confident that my master password is secure and sufficiently long, wouldn't that afford me about the same degree security I had previously with 1password Anywhere?

  • khadkhad Social Choreographer

    Team Member

    @alkalifly,

    We can't in good conscience recommend that folks store their Account Keys online, but you can make such a decision for yourself.

    Just a couple thoughts:

    • If I washed up on shore from a shipwreck, my 1Password data may be the least of my immediate concerns. Without a phone or computer, not even an Emergency Kit would be of much use to me.
    • Relying solely on "something you know" (i.e. your Master Password) means that you end up with the opposite problem: if, due to whatever circumstances led to being washed up on shore, you have lost your memory, you are in just as bad of a situation. That's why we recommend saving and securely storing the Emergency Kit, which includes a place for writing down your Master Password. This isn't just a "what if" scenario either. We've talked to a number of folks over the years who rely on 1Password because they have memory issues. We've yet to hear from someone in the "washed up on shore" scenario.

    Of course, it's always good to be prepared, so you'll have to handle the storage of your Account Key and/or Emergency Kit in a way that suits your particular desires for convenient security. Our official recommendation is to always store it offline.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Hi @alkalifly,

    I have to concur with @khad that we cannot in good conscience advise anyone to store their Account Key in a public place,
    but if you feel the need to have your security depend only on the strength and secrecy of your Master Password, then I have a couple of extra suggestions if you opt to not follow our advice about Account Keys:

    • Use a very strong Master Password. If you use our wordlist generator, make it at least four words long.

      If someone captures your data (say through a breach of our servers), it will only be the strength of your Master Password that is protecting you. A three word password could possibly withstand an attack of a $1000, while a four word Master Password from our generator would withstand an attack of $1,000,000.

    • Be very wary of where you enter your Master Password. Use a 1Password native client if at all possible to avoid the chance of phishing attacks.

    Phoning home for an Account Key

    But I do see your concern. If, say, you are robbed while traveling you will need to get to all of the useful things that you keep in 1Password (such as passport details and bank/credit card information). I don't know what country you are from, but the US consulate will help US citizens phone home.1

    When traveling, it is good to leave a copy of your passport details with others not traveling with you, and under those circumstances you could also leave your Account Key in a sealed envelope. Of course this all takes preparation before you find yourself in need of such a thing.


    1. Someday, I will have to write up an account of my trip to Nicaragua in the summer of 1986. I did a lot of stupid things when I was younger. I still do a lot of stupid things, but I hope that they are newer and greater stupid things. So presenting myself to the US consulate in a country that the US was trying to undermine through supporting armed rebellion without my passport or more than a tiny bit of cash is a thing I've done. It isn't pleasant. But it is doable. ↩︎

  • ForrestForrest Junior Member

    I'm tech savvy and a huge fan of 1Password. I've used it since version 4. However, this whole issue is a major clusterf*ck.

    I cannot believe AgileBits has done such a poor job of 1) notifying it's customers of the change and 2) implementing an alternative that is nowhere near the usefulness of 1PasswordAnywhere. Honestly, it feels like a bait and switch.

    I've searched the forums and the knowledgebase and there's no good, clear, documentation of what to do without ponying up for a paid account. There's documentation and solutions, but nothing that's satisfactory.

    Here's what I want:
    Syncing/backing up through Dropbox (as it is in the current scenario). Then, if my computer and/or phone is lost or stolen, I need to be able to grab the 1Password vault(s) from Dropbox to a local computer (read my girlfriend's) and access all my information from her copy of 1Password. In addition, AgileBits should provide a "reader" app that can be downloaded for free from anywhere, at anytime, to access my vaults. It can even be restricted so that it doesn't work with website logins. All I need to do is to be able to get at the information. I use 1Password for SO MUCH MORE than passwords and logging into sites. I have my health insurance, car info, bank account numbers, credit cards, et cetera, et cetera all stored in 1Password.

  • @Forrest without being a snob, as I was one of the users of 1PasswordAnywhere, what is preventing you from doing that today? If you store your data in Dropbox, you can easily download the iOS and Mac app for free from their website and then load the vaults locally on any PC. Yes, this means you might need Admin rights so it is not something you can do from, say, a cafe somewhere. But in your example, your girlfriends laptop would still allow you to do this.

    As for the iOS device, you would just need to login to the right Dropbox account and then allow syncing of the data to the 1Password application.

    Correct me anywhere if I am wrong. It has been a while since I used Dropbox as I moved to the 1Password Subscription service.

  • khadkhad Social Choreographer

    Team Member

    @cwanja, I was just about to say something similar. The only thing 1PasswordAnywhere provided was web access. If you want to use the apps — which are more secure than 1PasswordAnywhere, especially if accessed on an untrusted device — then you should be all set. :)

  • ForrestForrest Junior Member

    Grabbing the vaults and opening locally has not worked for me. I only get an "import" option with syncing. This while my existing (or my girlfriends) vaults are still open. In a pinch, I'd do it, but the situation is not satisfactory. I run the risk of confusing multiple vaults called the same name; also, I don't want to sync the new (grabbed from Dropbox) at all. As I said previously, I find the information and documentation on all of this is lacking. My girlfriend, for example, could never figure it out. There needs to be a very clear, step by step crib sheet.

  • khadkhad Social Choreographer

    Team Member

    @Forrest,

    Ah! I think I see the confusion then. You're talking about opening vault in 1Password on your girlfriend's computer where it sounds like 1Password is already set up. Is that the case? If so, that may be where the confusion lies. When you first install 1Password, it's very easy to choose Dropbox and open the vault. But if 1Password is already set up for your girlfriend, you have a couple different options.

    My recommendation (if you don't sign up for a 1Password account) would be to create a new Mac user account and set up 1Password (and Dropbox) for yourself in that separate account.

    Alternatively, you would need to sign in to your own Dropbox account (or share the folder where your 1Password vault is from your Dropbox account to hers). Then double-click the vault in Finder. You'll need to enter the Master Password, and the vault will be added as a secondary vault. The downside to this approach is that, until you remove your vault from 1Password, your girlfriend will be able to access your vault since you added it to her 1Password setup. Indeed, the only way to access the vault would be by entering your girlfriend's Master Password since the vault was added to her 1Password setup. That's why the above method is much preferred, but you can do it this way in a real emergency. The important thing is that the "import" option is not what you want. That's only for importing unencrypted data (like from a CSV).

    To be honest, it is a little complicated. That's precisely why we introduced 1Password.com accounts. The old way of having standalone vaults rather than whole accounts (with multiple vaults) was sort of bursting at the seams. It was never intended to support complex setups or account recovery. 1Password accounts were built from the ground up for secure access online, to provide account recovery, with support for multiple vaults (and per-vault permissions). When you have a 1Password account, you simply sign in to your account on 1Password.com. That's it. Which is why we've been recommending them.

    If you prefer to stick with standalone vaults, I hope my suggestions above help. If you need more specific assistance accessing your vault on a new device, it might be better to create a new thread where we can better assist you. If you do, please feel free to @khad me.

  • brentybrenty

    Team Member
    edited February 2017

    @Forrest: I also wanted to add one thing since you mentioned it but it doesn't look like anyone else has explicitly addressed this: the mobile apps are a free download, so if your vault is in Dropbox, all you need to do is grab it from the app store and load it up and you're good to go. Nowadays even burner phones are capable of this. Cheers! :)

  • Hi,

    1PasswordAnywhere.html still works for me, under specific conditions. I use it daily on Linux.

    What is the likelihood of 1Password changing its data format in a way that breaks 1PasswordAnywhere.html for good?

    Thanks!

  • khadkhad Social Choreographer

    Team Member

    Hi @dpedu,

    The Agile Keychain format (the format required to use 1Password.html) will likely not be receiving any updates as we have moved to OPVault and 1Password accounts [PDF]. We can't make any promises. For example, I'm having trouble running Classic Mac OS apps on my new MacBook. Or the world may end tomorrow. But barring any unforeseen events or the inevitable march of progress in technology, you should be fine for quite a while.

This discussion has been closed.