Just signed up, confused and worried about the obviously erroneous promises

sam21k
sam21k
Community Member
edited April 2020 in Families

I just signed up for a 1password account, as I'm looking for an alternative to KeePass.

On page https://1password.com/security/ there is a bold announcement "Only you know your Master Password: it's never stored alongside your data or sent over the network."

Well, this is obviously not true. When I initially create the master password, it is sent to 1password over the network. I would then expect that the actual password is never saved anywhere. When I logged in to 1password for the first time I saw that the 1password account data was stored there per default, including the Master Password (which is supposedly never stored alongside my data or sent over the network).


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @sam21k

    Welcome to 1Password. I'd be happy to help clarify what you're seeing here.

    When I initially create the master password, it is sent to 1password over the network.

    We do not transmit the Master Password over the network. Instead, we use SRP. This means your Master Password never has to be (or is) transmitted over the network. You can read more about how we use SRP here:

    1Password is LayerUp-ed with modern authentication

    I understand that my.1password.com looks very much like a traditional website that does traditional authentication, but despite appearances that is not how it works under the hood.

    it's never stored alongside your data or sent over the network

    Right; it isn't stored alongside it. It may be stored within it. Alongside seemingly implies that the Master Password could be accessed apart from your data. By placing the Master Password within the encrypted data it’s just as secure as all the rest of your items. Indeed; you need to enter your Master Password in order for 1Password to decrypt the item that stores your Master Password.

    The promise we’re trying to make here with this statement is that we don’t have a list of Master Password/hashes anywhere, as most other services do. You need to already have access to all the data to see the starter kit items stored within 1Password. And we don’t have access to those items because they are encrypted using your Master Password and Secret key, the same as the rest of your data inside 1Password. Someone attacking our servers wouldn’t have an easier time getting to your data because of the existence of those items. They'd still have to have your Master Password and Secret Key in order to decrypt them.

    If you're interested in how we accomplish these claims I'd recommend reviewing our security model guide:

    About the 1Password security model

    In particular we have a 1Password Security Design White Paper document linked from that guide that gets into much of the nitty gritty details. I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Ben

This discussion has been closed.