Master Password and Security Key transmitted to 1password.com?

roljs
roljs
Community Member

When I visit https://my.1password.com/signin?a=new&l=en to sign-in, I'm prompted for a Master Password and Security Key. Clicking on the "Sign in" button will submit the webform to 1password.com with both values included. Can you explain how this is not breaking 1Password's security promise that these values are never transmitted or stored at 1Password.com?

This promise is made in various docs and forum posts. For example, in this thread, Ben from the 1Password team states that "Neither of these values are transmitted to 1Password.com, so even if someone were able to break into our systems they would not see the Master Password nor Secret Key".


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Master Password security

Comments

  • DanielP
    DanielP
    1Password Alumni

    @roljs:

    Can you explain how this is not breaking 1Password's security promise that these values are never transmitted or stored at 1Password.com?

    What you are seeing after clicking on the Sign In button is not a regular login form: it's actually a JavaScript app delivered to your browser, and run locally inside it. When you enter your credentials in the form, that data is not sent to 1Password.com: the decryption is all handled locally. Our servers never receive your Secret Key or your Master Password as part of the decryption process (and neither do they receive it when they are created, because all of that also happens locally).

    If you are curious to know how this works, we use SRP (Secure Remote Password), an extension of the Diffie-Hellman key exchange method. If you are not familiar with SRP, you can read the technical details about it in our security white paper, SRP section.

    If you have any technical questions about SRP or the maths behind it, please feel free to ask them here, I will be happy to answer them for you :+1:

    ===
    Daniel
    1Password Security Team

  • roljs
    roljs
    Community Member

    Thanks for the prompt response and explanation. I've read the security whitepaper and somewhat familiar with SRP, it was just not clear that you implemented it client side as a Javascript library for the web browser use case. Can you also confirm that decrypted user data is never sent to the server (i.e. it is all rendered client-side) and comment on whether the Javascript implementation also keeps the entire data set decrupted in memory as opposed just one item at a time (as discussed in this long thread)

  • Hi, @roljs.

    Yes, decrypted user data is never sent to the server. The web app requests the data after it has authenticated with SRP and the server sends down the encrypted data. Then the web app decrypts it using the browser's WebCrypto implementation and displays it to the user. In general, only the things on screen are held in memory in decrypted form. So in vault view, that includes overview information for all the items displayed in the item list (things like title, subtitle, icon), but the details are only decrypted when displaying the full item on the right.

    So yes, we only keep decrypted details when they're being displayed. The other thread you mentioned talks a bit about erasing or "zeroing out" memory and those comments still hold. We cannot choose to erase memory in JS, but we do release references to it so that JS can clean it out.

This discussion has been closed.