1Password Security in Public WIFI

Shelley28736 · January 2021

Hello,

If I were to connect to public wifi, say at a cafe or library, without the protection of a VPN, what would the risks be towards the security of my passwords stored in 1password if my vault were to be unlocked vs. if I were to keep it locked? I guess what I want to know is if someone could get access to my passwords over public wifi if I keep it locked? I'm new to using a password manager and still trying to figure everything out.

Thanks,
Shelley

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

[Deleted User] · January 2021

All of your passwords are encrypted with your Master Password and Secret Key before being transferred to 1Password. Secure Remote Password is used to set-up a secure connection with the 1Password servers before any data is transferred. In addition, all of this takes place over a standard TLS connection:

https://support.1password.com/secure-remote-password/

So your passwords are triply secure and I wouldn't be worried about your passwords leaking en-route to 1Password. But anyone listening in to the public wi-fi traffic will be able to see what websites you visit and, depending on the level of security on those websites, they may be able to see information you submit to them.

Shelley28736 · January 2021

@missingbits Thank you very much for your reply.

jpgoldberg · January 2021

Thank you @missingbits! Your answer is pretty much what I joined this topic to say.

And to give a slightly broader answer to @Shelley28736, TLS (the thing that puts the "S" in HTTPS) is designed to keep your network traffic safe even if there are hostile entities in control of some of the links in the network. And that is why you should heed browser warnings about insecure connections in general.

1Password, as @missingbits pointed out, does better than that. 1Password's security does not depend on the secrecy provided by TLS. We built 1Password transport security (and data security) under the assumption that TLS can fail. A few years back there was a TLS failure illustrated exactly the kinds of things that we do protect again. See Three layers of encryption keeps you safe when SSL/TLS fails from 2017 for that incident.