Security in 1Password 7

phadley
phadley
Community Member

In version 6, your software decrypts your data locally on the host device using the password that is entered. So, it serves to authenticate the user without the need to transmit the master password over the internet, and AgileBits servers did not need to store master passwords on their servers.

In version 7, your software sends the user's master password over the internet to be authenticated by matching it against what is stored on AgileBits' servers.

Version 7 seems substantially less secure to me because it is exposed to at least two additional attack vectors: 1) snoop/crack HTTPS transmission, and 2) data breach of AgileBits' servers.

Now, I'm open to being wrong on all of this. Please tell me what is incorrect about my above statements, and how version 7 is actually more secure.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • XIII
    XIII
    Community Member
    edited February 2020

    Have a look at this page on Secure Remote Passwords:

    https://support.1password.com/secure-remote-password/

    ("Your credentials are never sent over the network")

  • Hi @phadley

    Thanks for taking the time to write in with your concerns.

    Now, I'm open to being wrong on all of this. Please tell me what is incorrect about my above statements, and how version 7 is actually more secure.

    Certainly. Thanks also for being open to being informed about the subject.

    In version 7, your software sends the user's master password over the internet to be authenticated by matching it against what is stored on AgileBits' servers.

    Both halves of this are incorrect.

    1. The Master Password is not transmitted to our servers
    2. The Master Password is not stored on our servers, so there is nothing there to compare against

    1Password data is "end-to-end" encrypted, with all of the endpoints being your devices. We do not have the encryption keys. You can read more about this in these guides:

    This blog post may also be helpful in illustrating how our authentication works differently than that of traditional services:

    Version 7 seems substantially less secure to me because it is exposed to at least two additional attack vectors: 1) snoop/crack HTTPS transmission, and 2) data breach of AgileBits' servers.

    For point #1 I'd direct you here:

    And for point #2 I'd suggest taking a look at the benefits the Secret Key provides. It is designed to protect you even from someone who has access to our servers (including us):

    I realize there is a lot to digest there, especially because it is different than what folks are used to with other services. If you have any follow up questions please feel free to ask.

    Ben

  • phadley
    phadley
    Community Member
    edited February 2020

    Thanks, @Ben. This helps a lot!

    My impression that my Master Password was sent over the internet was fueled by the behavior of the 1 Password X browser extension, which, when I tried it, navigated me to https://my.1password.com/signin. And I assume that any time I enter data on a web page, that it will send it over the internet to the web server hosting the page. Is this not the case?

    In the 1Password 6 extension, authentication didn't occur on a web page, but instead a little pop-up collected the Master Password, and I had assumed that I was being authenticated (and my data was being decrypted using it) locally.

    1Password 6 extension behavior:

    1Password 7 extension behavior:

  • phadley
    phadley
    Community Member

    @Ben,

    I think my question comes down to the article that @XIII provided: https://support.1password.com/secure-remote-password/. It says that "Your credentials are never sent over the network". But then it goes on to explain that "Your information is protected by an additional encryption key". Why is an additional key needed if this sensitive information is not sent? My interpretation of this section is that sensitive information is sent, but is protected by an additional key in case, as you say: "someone manages to decrypt TLS." So, which is it? Sent or not-sent?

    Also, I'm unable to open the security whitepaper at this URL: https://1password.com/files/1Password-White-Paper.pdf
    Here's what I see:

  • And I assume that any time I enter data on a web page, that it will send it over the internet to the web server hosting the page. Is this not the case?

    That is generally true, but not in the case of the 1Password web app, which is what I mean when I say it works differently than many / most other services. The code for the web app is downloaded, and then is run within your web browser. The encryption / decryption happens there.

    In the 1Password 6 extension, authentication didn't occur on a web page, but instead a little pop-up collected the Master Password, and I had assumed that I was being authenticated (and my data was being decrypted using it) locally.

    That is still true today with 1Password 7 and 1Password membership.

    So, which is it? Sent or not-sent?

    Not sent. The Master Password is never "seen" by the server. It doesn't have to be, as the encryption / decryption happens on your device (in your web browser, or in one of the native apps). The white paper gets into additional detail on this.

    Also, I'm unable to open the security whitepaper at this URL:

    This is an issue with rendering the PDF in Chrome. Please try a different browser or use Chrome to save the PDF and then open it from your local disk.

    Ben

  • phadley
    phadley
    Community Member

    Thanks again, @Ben, for your replies.

    The whitepaper is a project for Math or CS pHD candidates. I found this article to be most helpful: https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/

    I'm impressed with SRP. I have a few remaining questions:

    1. How does the browser extension intercept the "click" event on the Sign In button? (I suppose this is trivial for a browser extension, given the plethora of permissions that the user grants to it upon installation.)

    2. I read on one of your web pages that users can go retrieve their Secret Key from your web site... Given that you don't store users' Secret Key in your back end (do you?), I would guess that the browser extension fills it in to the field locally after the page loads into the browser. And this explains why you have to use a browser that you've used previously to log in. Is this all accurate?

    3. Browser extensions are cool and powerful, but I can see how they pose a serious security risk. What data does 1Password collect about user's browsing habits?

  • Browser extensions are cool and powerful, but I can see how they pose a serious security risk. What data does 1Password collect about user's browsing habits?

    This is covered by our privacy policy:

    Keep your secrets & passwords safe and secure

    I think the header there pretty well covers the general idea: "Your data is yours, and we don't want to know anything about it. We don't use it, we don't share it, and we don't sell it."

    I read on one of your web pages that users can go retrieve their Secret Key from your web site... Given that you don't store users' Secret Key in your back end (do you?), I would guess that the browser extension fills it in to the field locally after the page loads into the browser. And this explains why you have to use a browser that you've used previously to log in. Is this all accurate?

    Mostly right. The browser extension actually isn't involved in this. It is all done through your browser's local cache. And yes, that is exactly why it is only available in browsers which you've already logged in and then haven't subsequently cleared the cache of.

    How does the browser extension intercept the "click" event on the Sign In button? (I suppose this is trivial for a browser extension, given the plethora of permissions that the user grants to it upon installation.)

    Yes, exactly. When you give the extension the permissions required when it installs it is able to listen to the page for these kinds of events, and even modify what the page does as a result:

    About 1Password browser permissions

    The whitepaper is a project for Math or CS pHD candidates. I found this article to be most helpful: https://blog.1password.com/developers-how-we-use-srp-and-you-can-too/

    Sorry; didn't mean to overwhelm you with the white paper. As I mentioned above it does get into some fairly technical nitty gritty, but I like to link to it to show just how open we try to be about how things work. I'm glad to hear the blog post was helpful. :)

    Thanks again, @Ben, for your replies.

    Any time. Happy to help. :+1:

    Ben

  • phadley
    phadley
    Community Member

    Well done, @Ben ! thanks again

  • ag_ana
    ag_ana
    1Password Alumni

    On behalf of Ben, you are welcome! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

This discussion has been closed.