Transmission of master password
I've read multiple places that a user's master password is never transmitted (e.g. https://blog.1password.com/are-password-managers-safe/). However, when setting up a 1Password account, it asks to create a master password. This form is in a browser window, and I'm assuming when I click "Create 1Password account" after entering in a master password, it would have to be sent to the 1Password servers (what else would be the purpose of entering it in a web browser form?).
I haven't finished creating a 1Password account yet (I'm still on a desktop license), but I'm also assuming logging in to 1password.com would require entering the master password as well (again wouldn't it have to be transmitted in order to login via a web browser?)
If the master password isn't being transmitted, what exactly is happening (is there some other key being generated locally using Javascript in the web browser, then that is sent?)
If anyone could clarify this, I would much appreciate it. One of the reasons I haven't moved to a subscription is I can be sure everything stays local. This aspect of typing your master password into a browser, and it supposedly not transmitting has made no sense to me.
1Password Version: 7
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@dcarver: Thanks for reaching out. Happy to help clear this up. :)
I've read multiple places that a user's master password is never transmitted
That is correct! :sunglasses:
after entering in a master password, it would have to be sent to the 1Password servers (what else would be the purpose of entering it in a web browser form?).
Think of it the same way you do when entering your Master Password into any of the 1Password apps: it's not sent anywhere; it's simply being used as an input to decrypt your data locally (since it was encrypted using it). The same applies exactly to the 1Password web app: it runs locally on your machine, and does all of the encryption/decryption there.
If the master password isn't being transmitted, what exactly is happening (is there some other key being generated locally using Javascript in the web browser, then that is sent?)
You're right on track. The key is that with 1Password you're not "logging in" in any real sense like you would with, say, your email account. Your email provider, on the other hand, has your account credentials in some form (hopefully salted and hashed) in order for them to match it to what you enter when logging in. All the data in your account is stored on the server and, even if encrypted (not always the case), processed there and sent to you over (hopefully) HTTPS to be displayed locally. Pretty much everything is happening on the server, nothing in the client (browser) on your device (except your browser rendering the page for display). That's less expensive in some ways because there is much less processing involved generally on both the client and server side, but definitely the client, since it's essentially just receiving data. So we use SRP (Secure Remote Password) protocol to avoid both us storing secrets that could be used to get to 1Password users' data (so there is no risk of us misusing or giving them up) and users having to transmit them in the first place (so there is no risk of them being captured in transit).
If anyone could clarify this, I would much appreciate it. One of the reasons I haven't moved to a subscription is I can be sure everything stays local. This aspect of typing your master password into a browser, and it supposedly not transmitting has made no sense to me.
I don't blame you, because it's pretty much the opposite of what we're all used to with web-based stuff. But of course we're also kind of used to the security issues that come along with that, and we sort of have to turn this on its head in order to be able to offer the security that 1Password users expect with this service. Otherwise we wouldn't use 1Password.com either! There's a lot more detail in our security white paper (which is actually a really fun read, even if you're not into cryptography), but I'd like to offer a few points that summarize how 1Password secures our data:
- Your 1Password data is encrypted locally on your device before it is transmitted.
- The server receives only an encrypted blob.
- Your Master Password is never transmitted.
You might think I'm talking about 1Password.com specifically there, but that's the case no matter what 1Password setup you use — the only difference being that 1Password.com data is also encrypted using the 128-bit randomly generated Secret Key, which is also never transmitted to us. So there's an additional layer of security there as well.
Indeed, when you use 1Password, AgileBits never has access to your data, regardless of the setup you choose. Even with 1Password.com, your data is encrypted on your device, so all the server ever ends up with is an encrypted blob. And since the Secret Key is created locally, your Master Password is only known by you, and neither is ever transmitted to us, only you have the means to decrypt the data.
Suffice to say, if someone were to gain access to our servers, they simply don't have what they need to decrypt the data, as each individual user alone has the keys to it. I hope this helps. Be sure to let me know if you have any other questions! :)
0 -
Thanks for all the info! This was very thorough. If I understand this correctly, when one types their password (and device key) on 1Password.com, what's happening is the browser is loading the user's vault in the background (based on the email address the user typed in). The master password and device key the user typed don't leave the browser, but are applied to the vault which is served up by 1Password.com. Does that sound about right?
0