Web browser access to passwords & revisiting 1password.com membership with recent Dropbox changes
With the recent changes to Dropbox device access for non-Pro accounts, I'm rethinking my 1password syncing needs and reconsidering getting a 1password family membership instead of the license based 1password I currently use.
The primary thing causing me to hesitate moving my 1password use to a family membership is the web browser access to my passwords that 1password.com allows.
I had a discussion with Ben about this back in 2017 in this now closed discussion:
I'm still uncomfortable with this additional internet accessible web browser-based vector for possible attack/breach of passwords given the very attractive target 1password.com has to be to all of the bad guys out there looking for sites to breach.
Has anything changed since the time of my discussion with Ben (July 2017) that allows a 1password.com member to administer his 1password.com account while disabling access to passwords via a web browser (only allowing access to passwords via a properly configured 1Password application)?
1Password Version: 6.8.9
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @trclayton58
very attractive target 1password.com has to be
On the contrary. One of the requirements we had in mind when we started out on this path was that we didn't want to hold anything that would be valuable enough for people to want to attack 1Password.com. Of course there are strong protections in place if they decide to do so, but even if they do and are successful there is relatively little they can learn by doing so. For example, most people's Facebook accounts would contain vastly more information about them than their 1Password.com account does. A bit part of this is the Secret Key. The Secret Key is designed to protect you in the case that 1Password.com is breached. While of course and as I said we have a lot of protections in place to prevent that we recognize it is a possibility. As such the Secret Key was developed and makes it such that 1Password data stored on 1Password.com is essentially worthless to someone could get their hands on it (including us). This is so powerful that it even protects you from insider attacks (e.g. a rogue employee here at 1Password). Even someone with access to our systems cannot access your data.
Has anything changed since the time of my discussion
There haven't been any changes in this regard, and I don't expect any in the near future. While we'd love to make it such that the web interface isn't required at all, and everything could be done in a codesigned native app, that may be a bit of a pipe dream. That said, there is nothing saying that you have to access your passwords via the web interface. But there is no way to turn that off and frankly I'm not sure that I'd expect that to ever be possible.
(only allowing access to passwords via a properly configured 1Password application)
1Password's data format is open, so even outside the 1Password.com web interface it is possible for someone to write their own apps to interface with 1Password data, and people have done so. This post is a bit old at this point but much of it is still applicable:
You have secrets; we don’t, why our data format is public
I really think the Secret Key protects you against the threats that you seem to be concerned about, but I suppose that is something you'll need to evaluate for yourself. :)
Ben
0 -
Ben,
Re: Facebook, I agree wholeheartedly which is why I deleted my Facebook account many years ago way way before all of the bad news about Facebook in recent months.
Everything you say here makes sense to me... maybe it's the "old school" part of me that has me hesitating. I'm an Electronic Engineer that is in his 60's and did most of my coding in Assembly Language on old 8 bit then 16 bit micros. Unfortunately I never had occasion to build web applications so maybe it's a lack of understanding on my part.
After the Secret Key is generated during account setup and sent to me to save, is my Secret Key ever sent back to AgileBits in any way?
I guess what I'm asking is even when accessing passwords via 1password.com does all the decryption of my 1Password data occur locally on my machine and therefore the Secret Key and decrypted data are never sent over the internet (I know that is how it works with the 1Passwork apps)?
If that is indeed the case, then I can see that if I'm smart enough to protect my Secret Key and Master Password then you are correct and my concerns are probably unfounded.
1Password has been very valuable to me since the first day I installed it back in 2011 and the subscription cost for a Family Membership is well worth the value my family gets out of using 1Password each and every day. Something this important justifies being supported to help ensure that you guys and 1Password are going to be around for a very long time.
I just haven't been able to get my head wrapped around the web access aspect of 1password.com.
Maybe your answers to these questions can finally get me past my ignorance and let me move forward with a Family Subscription.
Thanks for taking the time to address my questions.
0 -
Hi @trclayton58
After the Secret Key is generated during account setup and sent to me to save, is my Secret Key ever sent back to AgileBits in any way?
Never. This is why we are not able to recover it for you if you lose it: it's just not stored anywhere here.
I guess what I'm asking is even when accessing passwords via 1password.com does all the decryption of my 1Password data occur locally on my machine and therefore the Secret Key and decrypted data are never sent over the internet (I know that is how it works with the 1Passwork apps)?
That's correct, decryption happens locally even when you use the 1Password.com web app. Data is encrypted on your device, and only ever leaves it in encrypted form. It's encrypted end-to-end. If someone somehow gets a hold of your 1Password data, you are safe because the data is encrypted and your Master Password and Secret Key are never shared with us.
Let me know if you have other questions about this :)
0 -
@trclayton58: Just to clarify:
After the Secret Key is generated during account setup and sent to me to save, is my Secret Key ever sent back to AgileBits in any way?
All of this is happening on your device locally. The 1Password web app is downloaded and runs in your browser, not on our server. So, just as with the native applications, no secrets are sent to us. The Secret Key only exists on your device unless you store it somewhere else; our software never transmits the Secret Key or Master Password. It's pretty cool, actually:
Developers: How we use SRP, and you can too
And although you may not personally ever have occasion to build something using Secure Remote Password, I bet you'd find it fascinating too as an engineer. :sunglasses:
I guess what I'm asking is even when accessing passwords via 1password.com does all the decryption of my 1Password data occur locally on my machine and therefore the Secret Key and decrypted data are never sent over the internet (I know that is how it works with the 1Passwork apps)?
That's correct, as I'm sure you see already above, but I did want to confirm that directly because it's so important.
Put another way, it's still our software running on your local machine. The only difference with the web app is that we don' have a way to deliver that to you signed in your browser, like we can with developer certificates on macOS, Windows, iOS, and Android.
I apologize if I missed something, but looking over the correspondence I'm surprised to not see our white paper mentioned. In case you haven't seen it already (or did a long time ago), I'd encourage you to check it out:
1Password Security White Paper
And if you have any other questions at all, we're always happy to hear from you! :chuffed:
0 -
Thank you all very much for taking the time to answer my questions. I appreciate your patience.
I feel good about the security you've provided in the storage of our 1Password data.
I have read some discussion about the inability to sign the web app and possible TLS spoofing mucking with the process but have to confess that some of that discussion is beyond my understanding.
However, it sounds like if I only use the web app to administer my 1password.com account, use the macOS and iOS apps to access my passwords and never access my passwords via the web, I'll minimize that possible risk.
I have been watching the development of version 7 of the 1Password macOS app and have some questions about workflow with v7 versus v6 but it's probably best if I hop over to the 1Password app section of the forum to ask those questions so I'll head there now.
Again, thanks so much for all your time and attention.
0 -
I feel good about the security you've provided in the storage of our 1Password data.
I'm glad to hear it. It is a struggle to express how / why things are different with 1Password than other "web-based" services folks are used to, but it does indeed work quite differently. The biggest difference I'd say is that we utilize end-to-end encryption where only your devices are end points. We never have the keys, so they can't be stolen from us or used maliciously by a bad actor internally.
I have been watching the development of version 7 of the 1Password macOS app and have some questions about workflow with v7 versus v6 but it's probably best if I hop over to the 1Password app section of the forum to ask those questions so I'll head there now.
Great! We'll see you there. :)
Again, thanks so much for all your time and attention.
You're most welcome.
Ben
0 -
Ben,
Thanks again for all the info.
I've been having the discussion about v7 and workflow with brenty over in the Mac section.
That discussion is here if you're curious (and have the time):
Everyone has been great with taking the time to address my questions. It is very much appreciated.
I intend to keep supporting Agilebits and 1Password. 1Password is a part of our daily lives and a Family subscription should keep us well equipped.
Now I just have to find the right time (and way) to transition the rest of my family. Both of them are older folks and any time I have to change anything about the way they use their computers (thankfully I got them both on Macs some time ago) there is a very strong "freak-out" reaction and lots of pushback regarding "why" and "what if it breaks something".
I'm sure others have experienced the same reactions when being the tech support for older members of their family. I'll just have to carefully pick my times when other parts of their lives are relatively calm.
I believe that you've addressed everything that I can think of on this topic at this time.
Thanks for all you help.
0 -
Thank you for your support @trclayton58! We really appreciate the kind words :)
And on behalf of Ben, you are very welcome :)
If you have any other questions, please feel free to reach out anytime. Have a wonderful day!
0