Am I forced to use 1Password Cloud?

Hi @JMcCorison

Thanks for your long term support of 1Password. I'd really like to help you get the most out of 1Password, and the best way to do that is with membership.

Yes, I know, you take security seriously, but so do many of the other companies that have been hacked.

You're absolutely right — and I'd like to try to address what we do differently than other companies. To start: most companies rely on authentication, rather than encryption, to protect most data. 1Password on the other hand encrypts everything you store inside it. The encryption keys are never known by us. Those keys are, essentially, your Master Password, and your Secret Key. There are other services that encrypt your data, but many if not most of them have access to your key, and only use one key. The Secret Key in our system protects you even in the unlikely event that we are "hacked" and all data is stolen from our servers. It makes it such that decrypting the data we store through brute force is impractical (if not impossible). This is true even if you choose a relatively weak Master Password — not that we recommend doing so.

The imagery in this blog post may help:

1Password is LayerUp-ed with modern authentication

If 1Password decides to shutdown and turns off their servers (and don't say it will never happen) then, poof, all my passwords are gone with no ability to access them or my secure notes.

That's simply not true and I can prove it. Sign up for a 1Password membership trial. Add it to your 1Password app. Add some data to it. Disconnect from the internet. Being disconnected from the internet there is no way that you're talking to our servers.

Even in the unlikely event that we vanish from the planet your data is cached in your 1Password apps and would continue to be accessible to you. Now, of course, you'd likely want to migrate to another solution as the software would no longer be updated and syncing would stop working eventually, but you wouldn't lose any data.

My other major concern is that it appears I am forced to use your cloud services to store my vaults instead of a location of my choosing. Is this correct? If so I see this as a security risk. Having all 1Password data stored in your cloud certainly makes your servers an attractive target.

Under more common security models you'd be right: we'd be a huge target. But with our model... we don't have your keys. What we don't have can't be stolen from us.

Does that help address your concerns?

Ben

@JMcCorison

Thanks for your detailed reply. The linked to article, and the white paper it references allays my fears in that regard.

Great. Glad to hear it. If there are additional questions in this regard as you read through those resources please feel free to ask.

How often does the 1Password app (iOS, macOS, or Windows) authenticate to your servers? Or does it just keep working forever locally without any ability to sync?

1Password has a "notifier" process that is constantly listening for updates from 1Password.com. If you're connected to the internet (and we aren't experiencing an outage) any updates essentially happen in real time. This is why syncing between devices is so fast and effective. But without an internet connection (or an outage on our part) 1Password will continue to chug along accessing the locally cached data potentially indefinitely. At some point we may enforce a check-in period, but if we did I imagine that would be quite a long timeout. We don't want to limit folks who have spotty internet access from being able to reliably use 1Password.

Ben

@JMcCorison

Thanks for taking the time to listen. :) Glad to hear you're willing to give it a try.

Ben

@tvitez - a few things about that:

1. If you're Canadian and you'd like to both be billed in Canadian currency and have a my.1password.ca address (instead of .com) as well as ensuring your data is all stored in AWS-ca-central-1 (Montreal), then you should make sure you create your account at https://start.1password.ca/sign-up/plan -- not the .com address.
2. Regardless of where your data is stored, we cannot access the contents under any circumstances. We do not possess either the encryption keys to your account's vaults, nor the secrets with which to derive them. All en/decryption is done client-side, including when you sign into your account in a browser at 1password.com (or, in your case, 1Password.ca), and your encryption is strengthened by not only your (hopefully well-chosen Master Password) but also your Secret Key. So while you may have restrictions from your employer or elsewhere regarding where you're allowed to store data, if it's a personal matter, you can rest assured that your data is as secure in one region as it is in another. If you'd like a truly deep dive into the intricacies of how we keep your 1Password.com (or .ca, .eu) account secure and private, I'd recommend our 1Password.com security white paper.

Let us know if you have any questions! :)