Hi, thanks for updating the interface of 1password for windows, i have immediately subscribed after checking, great job. But unfortunately, it is impossible to open a local vault that we had on 1password 7. There are some passwords which we are not allowed to sync to cloud (for work), hence they must stay local, and personal passwords that I want to sync to cloud. It would be very nice if opening a local vault on 1password 8. Is it planned or will not be possible ever? Thanks. 1Password Version: 8 Extension Version: Not Provided OS Version: windows 10

Hi @benwade Thank you for your interest in 1Password 8. I understand the concern regarding the lack of standalone vaults in this version. In case it is helpful, I wanted to outline some of the important aspects of how we handle your data. 1Password always works from a local copy of your data. Data you enter is encrypted before it is saved into this local database. The database is stored on your computer, and syncs when you are online. This means you can access your data while you're offline (or in the event that we are offline). The Secret Key - This is explained more fully in our security white paper, but the short explanation is that if someone were to guess or bruteforce your account password, that still wouldn't be enough to get your data. The Secret Key provides a serious safeguard against this, and the mathematical complexity that it puts in an attacker's path is essentially insurmountable with current attack methods and hardware. It makes it such that even if someone could steal everything from our servers, they wouldn't be able to access any secrets you've stored in 1Password. This key is not available to us, either, so even in the case of a malicious employee with the highest levels of access, your data is protected. We put our trust in encryption rather than authentication. This is because, in short, "Encryption means that 1Password does not face the kinds of threats a largely authentication-based system would face, and we have used an authentication mechanism that defends against many of the threats faced by many other systems." You can read more about this, if you're interested, in our short guide here: https://support.1password.com/authentication-encryption/ We undergo security audits and pen tests, which you can find here: https://support.1password.com/security-assessments/ In short, we have made 1Password as secure as possible, keep the ability to unlock your data out of our own hands, collect nothing besides what's needed to run the service, and continually have our security tested for weaknesses. One of our founders, Dave, wrote about why we're moving away from standalone vaults and to membership exclusively, here. While of course you are ultimately the final judge of what's best (or perhaps even necessary based on policies etc) for your situation, I hope this provides some helpful context for how we're doing things now and going forward. Ben

I have the same issue as Ben - my employer has strict requirements for where their secrets may be stored, with strong regulatory and industry specific attestations required - beyond the SOC2 that you attest to. If you had a docker container / local server option - even if that server required a phone-home for licensing purposes- that would enable my continued usage of Version 8.

There's a survey in progress here concerning self-hosting : https://survey.1password.com/self-host/

Yep; indeed. Thanks for calling that out, @"J.M"! @"Joshua Samuel" I'd encourage you to participate in the survey. This will help us gauge the level of interest in such a solution, and help us determine feasibility. Ben

1P_Ben Will the 1Password iOS app be updated to version 8, or will a separate version be added to the App Store? I wish to stay on stand-alone, Wi-Fi synced, vaults for now in version 7. I’m concerned having app auto-update on will leave me stuck on the new version!

Local Vault | 1Password Community

47 Replies

1P_Ben
1Password Team
4 years ago
I understand. That's not something that we can support or encourage, either. There's a lot of alternatives out there to Quicken 2007 that don't require you to run an insecure operating system. I know that's not what you are hoping to hear, but that's our position. At the end of the day we're a company that is heavily invested in the security of our customers, and using legacy y maintained software is incongruent with that. If you are intent on doing so then I would highly recommend that you disconnect such a machine from the Internet and use it solely for the legacy software that you're keeping it for.

Ben
Former Member
4 years ago

I don't think that is a promise any software vendor can make, @jetboy, and it certainly isn't one I'm able to make. The nature of software is that in order for it to be viable long term it needs to receive updates. For starters, you’d essentially have to be “frozen in time” and not update either your operating system or your web browsers. That isn’t a practical solution in most cases. It is also a really poor option in terms of security, which is one of the core reasons to use 1Password in the first place. Otherwise it is very possible that an update from a 3rd party would be incompatible with the existing version of 1Password.

In my post, 1P_Ben, I was talking about the unusual scenario where a machine is deliberately "frozen in time" for specific reasons, with examples of where it's necessary. I thought it was clear that I was not talking about a current, updated system. Obviously, older software becomes obsolete on such machines. That's elementary. I'm sorry I did such a poor job of explaining my point that you think I'm demanding something unreasonable or impossible.
1P_Ben
1Password Team
4 years ago

I need assurance that my software will continue to function and my data will remain accessible and under my control even if AgileBits is purchased or goes out of business.

I don't think that is a promise any software vendor can make, @jetboy, and it certainly isn't one I'm able to make. The nature of software is that in order for it to be viable long term it needs to receive updates. For starters, you’d essentially have to be “frozen in time” and not update either your operating system or your web browsers. That isn’t a practical solution in most cases. It is also a really poor option in terms of security, which is one of the core reasons to use 1Password in the first place. Otherwise it is very possible that an update from a 3rd party would be incompatible with the existing version of 1Password.

The need to release frequent updates in order to maintain compatibility was one of the motivating factors behind moving to a subscription model. As an example, we just had to update 1Password 7 and 1Password 8 because Chrome changed their signing certificate, and so earlier version of 1Password can no longer connect to it.

That said, we intentionally offer exports with open formats to ensure your data remains yours. This article (from 2013) is a little dated at this point, but the principal still holds true:

You have secrets; we don’t, why our data format is public

You can read about the 1PUX open format in 1Password 8 here:

About the 1Password Unencrypted Export format

the software must continue to function even if I'm running an old, no longer supported version or the company is consumed by another.

I don't think that's feasible. It certainly isn't something I can promise with regards to 1Password, and frankly I wouldn't recommend trying to do so. In such a scenario the best course of action would be to export your data and migrate to an actively maintained solution.

Ben
Former Member
4 years ago

Vaults that are *exclusively* "local," and don't sync anywhere, are not part of our business model

I sync my local vaults myself or using the build-in sync-to-folder and WLAN sync to sync my iOS devices. But I don't think this counts under the above quote. I'd be fine running my own 1Password service, but that will be of no use if the apps stop working when the subscription ends (e.g., on an older machine that's no longer supported, or if the company gets purchased or goes out of business).

I have a number of older machines around, running various versions of MacOS, that I use because the software on them has no good replacement or none that maintains the data (e.g., Quicken 2007). I can do this because the software is licensed and will continue to run, and my data is local. With a subscription model, if the subscription expires, or the service is discontinued, or I need to stick with an old version on a particular machine, I'm sunk. It stops working if any of these happen. Or, if the company is purchased or goes out of business, the software will stop working and/or the data becomes inaccessible.

I need assurance that my software will continue to function and my data will remain accessible and under my control even if AgileBits is purchased or goes out of business. I'm happy to host a service on one of my own servers and do my own backups. I'm fine with paying for software but the software must continue to function even if I'm running an old, no longer supported version or the company is consumed by another.
1P_Ben
1Password Team
4 years ago
Sounds like we're at an impasse, for now. Local vaults are not part of the plan for 1Password 8. The best I could suggest would be to fill out our survey on self-hosting of the 1Password service, if that would be a potential solution for your organization. These responses are reviewed by dteare directly.

https://survey.1password.com/self-host/

Ben
Former Member
4 years ago
What ljohnston said is correct. While you may 100 percent believe in your security solution (and I believe in it as well), my employer will not change this stance. And with good reason - everything is secure - until someone finds that one thing and then it’s not.

Please consider providing a mechanism for creating a local storage vault.
ljohnston
New Contributor
4 years ago

As always, I'd be happy to connect you with our specialist team if someone at your organization would like to discuss our security model, how things work, and ...

While I appreciate the offer, it is astounding how naive that statement is. There is no way - and I wouldn't even want to waste your time - that our company is ever going to change it's position on cloud-based password storage. And we're talking over 140K employees. While 1 password was on the approved list, it is no longer.

I'm going to guess that the companies that @benwade, hotoutside, @davido1138, @blaukraut, etc. work for are equally as unlikely to change their stance. This is just sad.
1P_PeterG
Community Manager
4 years ago
I'm sorry to hear this, hotoutside! As always, I'd be happy to connect you with our specialist team if someone at your organization would like to discuss our security model, how things work, and why large orgs with high security requirements are finding we present the strongest option.
hotoutside
Occasional Contributor
4 years ago
Agree with @blaukraut. My org is in the process of spec'ing a password manager rollout (we've got over 40k employees). My understanding is 1Password was a top candidate, but with this 1P8 announcement, we'd be unable to meet existing contractual agreements... Such a bummer/pain.

Short version: we've removed 1P8 from the candidates list entirely.
Former Member
4 years ago
@blaukraut Check out Enpass. It supports local vaults that you can then choose to sync either via a cloud service (iCloud, Dropbox, etc.), not sync at all, or sync via your local WiFi network b/w your devices. I.e., all the ways you used to be able to store and sync your 1Password vault until AgileBits got greedy.

Forum Discussion

Local Vault

47 Replies

You have secrets; we don’t, why our data format is public

About the 1Password Unencrypted Export format

Featured discussions

September at 1Password: Browser versions, enhanced security, and new integrations

Recent discussions

What happens to a shared vault if the person who shared it stops sharing?

Lowes.com Passkey Issue

TOTP & Security Key MFA

Can't select SOME items from the item list in the Safari extension

Password entry gets converted to a Login entry