Signing back into the Community for the first time? You'll need to reset your password to access your account.  Find out more.

Forum Discussion

Former Member's avatar
Former Member
4 years ago

Standalone vaults in 1Password 8

Are standalone vaults supported in 1Password 8? Can you import standalone vaults from 1Password 7 without signing up for the online service? Can you create new standalone vaults in 1Password 8?...
windows
1P_PeterG's avatar
1P_PeterG
Icon for Community Manager rankCommunity Manager
4 years ago

Hi @Rayven01, thanks for your comments here. We understand that this is a reasonable concern, and have gone to great lengths to address it. I should note as well that much of the security architecture we use to keep information safe has been in place well before 1Password 8 - and that the majority of users are already using this subscription service.

While members of our security team can speak in detail to some of the more technical aspects of this, here are a few of the safeguards we use for subscription accounts, which provide a greater level of security than you can find just about anywhere:

  1. The Secret Key - This is explained more fully in our security white paper, as @soshiito mentioned here, but the short explanation is that if someone were to guess or bruteforce your account password, that still wouldn't be enough to get your data. The Secret Key provides a serious safeguard against this, and the mathematical complexity that it puts in an attacker's path is essentially insurmountable with current attack methods and hardware.

  2. Strong privacy and secrecy policies - We don't have access to much information about 1Password users, because we don't want to. This is because we're a privacy-conscious bunch around here, but it also means that, in the event of a hack (and we haven't had one yet!) any information we don't have access to is also information an attacker can't turn against you. And, as has always been the case, your data is encrypted and decrypted locally, on your device. Without the password and secret key that only you have - even we don't have those - it is incredibly difficult for a hacker to do anything with your encrypted data.

  3. Following that, we also threat-model against internal attacks, including even the possibility of a malicious database administrator. You can find more about this in the security paper as well.

  4. We put our trust in encryption rather than authentication. This is because, in short, "Encryption means that 1Password does not face the kinds of threats a largely authentication-based system would face, and we have used an authentication mechanism that defends against many of the threats faced by many other systems." You can read more about this, if you're interested, in our short guide here: https://support.1password.com/authentication-encryption/

  5. We also undergo security audits and pen tests, which you can find here: https://support.1password.com/security-assessments/

In short, we have made 1Password as secure as possible, keep the ability to unlock your data out of our own hands, collect nothing besides what's needed to run the service, and continually test our own security for weaknesses.

While of course you are ultimately the final judge of what's best for your situation, I hope this provides some helpful context for how we do things.