Questions about security, availability, and data protection when upgrading from 1Password V7 to V8

Hi wernerstroe​,

Good questions! Tom answered a lot of these (thanks, Tom!), but I'll still answer them all just to be thorough. Please let me know if I overlooked any questions or if you have follow-up questions.

1. Access to the cloud / possible restrictions:
   Is it theoretically possible that access to my passwords (stored in the cloud) could be denied or blocked – for example due to a policy violation, a government order, or for other reasons?
   If so, would there still be any way to access my data locally or offline in such a case?
   
   Answer: 

   If you have exported your 1Password data (more on that below), you would be able to view this data regardless of access to 1Password apps or services. Both file formats are unencrypted and don’t require using 1Password to view.
   
   Access to your account could only be affected in very limited situations, such as compliance with applicable law or a confirmed violation of our Terms of Service.

   You can learn more about how we handle legal requests and account access in our Terms of Service and Information for Law Enforcement pages.
   
   
2. Encryption and third-party access:
   Are the data stored in the cloud fully encrypted so that not even 1Password itself can access them?
   And could a government legally compel you, as the service provider, to grant access to a specific account or provide decryption information?
   
   Answer: 
   The data stored in the cloud is indeed fully encrypted and even we don’t have access to it. For questions about government / law enforcement requests, I’d point you again to this document which includes: “We do not have the ability to decrypt the list of logins or the passwords that our users store in 1Password.”
   
   
3. Failed subscription payment:
   What happens if a yearly subscription payment fails (for example, due to an expired credit card)?
   - How long will I still have access to my account?
   - Will the account eventually be suspended or deleted?
   
   Answer:
   If your subscription lapses, your account becomes frozen. When an account is frozen, it’s essentially read-only, so you can still access your data, you just won’t be able to create or update items in 1Password. The account will still exist in a frozen state until you choose to delete it.
   
   
4. Access for relatives in case of death:
   If the account holder passes away unexpectedly, but relatives have the login credentials – how long can they still access the data if no further payments are made?
   
   Answer:
   The deceased’s account would be frozen, but still be accessible indefinitely to family members with the credentials.
   
   
5. Emergency access:
   Will there be an official emergency access feature in version 8 that allows family members to access the vault without knowing the master password in case of an emergency?
   
   Answer:
   We don’t currently have this functionality, but I’m happy to submit a feature request for it on your behalf. Just let me know!
   
   
6. Encryption of all vault data:
   Are all stored items (including custom fields, notes, attachments, uploaded files, etc.) fully encrypted?
   In the event of a data breach like the one that affected LastPass – would my data remain completely secure with a strong master password, or is there still some residual risk?
   
   Answer:
   All of your stored items are fully encrypted and I agree with Tom that you might enjoy reading https://support.1password.com/1password-security/  and https://agilebits.github.io/security-design/, as well as this blog post https://1password.com/blog/what-we-dont-know-about-you.
   
   Even if our servers were breached, attackers would only find encrypted gibberish that would be useless and unreadable without your account password and Secret Key.
   
   
7. Offline access:
   Is it possible to access vault data when you don’t have an internet connection for an extended period of time?
   And is there any time limit after which an online connection becomes mandatory?
   
   Answer:
   For context, my answer here assumes you are using the 1Password app and not using SSO (if you are using SSO, read this).
   
   Your items are cached and decrypted locally, so you can use 1Password without an internet connection, with a couple of exceptions: Attachments that haven’t been accessed on the device in the past aren’t cached and passkeys wouldn’t function. There is no time limit for using 1Password in offline mode.
   
   
8. Server outage:
   If the 1Password servers themselves are unavailable for an extended period, can users still access locally cached data, or would access eventually be blocked because the servers can’t be reached?
   
   Answer:
   Like above, my answer here assumes you are not using SSO.
   
   If you are using the 1Password app (and not 1Password.com), in the event of a server outage 1Password will still function just like in offline mode using locally-cached data, with a couple of exceptions: Attachments that haven’t been accessed on the device in the past aren’t cached and passkeys wouldn’t function.
   
   
9. Data loss in the cloud:
   Is there any theoretical possibility that data stored in the 1Password cloud could be lost (for example, due to a system error)?
   I remember that in 2023, some Google Drive users reported losing data from the cloud.
   Could something like this happen with 1Password, or are there redundancies and backups ensuring that data is 100% safe?
   
   Answer:
   All items and vaults are backed up daily to prevent data loss.
   
   
10. Backups and exports:
    When creating manual backups or exports – do they include all data from the vault, including custom fields and attachments?
    
    Answer:
    There are two options for exports/backups: You can export a CSV file or a  1Password Unencrypted Export. To be clear: Both of these formats are not encrypted, so use caution in storing them somewhere secure.
    
    The CSV option is more limited in what it exports, while the .1PUX option contains everything except passkeys.
    
    
11. EU region / data location:
    When selecting the EU region during registration – are the data stored exclusively on servers located in the EU, or are they also distributed to other locations such as the US or Canada?
    And can users explicitly choose the data region, or is it determined automatically when registering through the EU domain?
    
    Answer:
    Your region determines where your data is stored and that data is stored exclusively in that region. You can learn more about that here.
    
    
12. Loss of Secret Key or Master Password:
    What options are available if a user loses their Secret Key or Master Password?
    Are there any recovery mechanisms, or would access to the data be permanently lost in that case?
    
    Answer:
    For Individual and Family accounts, if you lose your Secret Key or Password, you still have the option to use a Recovery Code to get back into your account. For Family accounts, the Family Organizer can also help recover a lost account for another member of the family.

Hi Tom,

Thanks for your reply!

Your answers have already given me a better understanding of my remaining questions and concerns.

Hopefully, someone from the 1Password team moderators can also address these questions in more detail.

Hi Werner,

For legality et such you should await a confirmation from the mods, but from a community and fellow-user perspective:

1. There are 3 clouds (.com .ca and .eu) - the company behind it is Canadian - that is as far as I'll go wrt politics. As with all clouds - they can disappear ... make a (very secure) backup every now and then.
2. Read up on https://support.1password.com/1password-security/ and especially https://agilebits.github.io/security-design/ 
3. You won't be able to CHANGE things in your account, it will remain read-only
4. That's where your emergency-kit or recovery code come in https://support.1password.com/emergency-kit/ (PRINT, envelop/sign and store SECURE) and https://support.1password.com/recovery-codes/ (understand the implications
5. See previous answer (4)
6. See answer on 2
7. If you don't reboot your device or lapse 'X' time (for personal accounts, business is set by business) you can set it to anything from Never (you shouldn't) to daily require password re-entry. Meanwhile you can access it via your devices biometrics. Theoretical you could do without connectivity for a while (unless on business and external authentication) but eventually it will ask you for your password.
8. See previous answer (7)
9. See answer on 1 - never fully trust someone else's computer - even if they would accept liability you would still be at (unrecoverable) loss
10. Depends start at https://support.1password.com/export/ and rephrase accordingly
11. To my understanding and previous (business, team and enterprise) discussions and agreements, yes to the first part of your question.
12. Depends if you have either on the answer on 4 available or not. If you lost everything, you indeed did that + your data is now very secure.

And yes you should upgrade so you also have the full/improved watchtower and all other good things :) But good on you to check all the boxes.

As said, wait for one of the mods to (more) properly answer any questions or deliberately undiscussed items