1Password Cloud Question

Mork
Mork
Community Member

I'm still deciding on moving my passwords to your cloud option.

A couple concerns:

  1. With high Q-Bit computers coming in the next few years which could render most current encryption useless, are you planning for this eventuality already or does it really not apply for some reason?

  2. When I enter my cloud super secret password, what prevents you at that point from capturing it? As far as I can see, there isn't any way (could be my misunderstanding) to truly not share all my password information with you in some way. Seems like an obvious vulnerability if I understand how this works on your site.

Thanks in advance for your reply.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Mac 11.4
Sync Type: cloud

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @Mork!

    I just wanted to let you know that I have sent your questions directly to our security team ;)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Mork: 1Password's security is something we've always iterated on (pun sort of intended) with things like PBKDF2 iterations increasing over the years to raise the bar as computational power has increased, as well as adopting different technologies that can provide additional security benefits; so that's something we'll continue to do as technology advances -- whether that ends up being quantum computing, neural networks, or anything else: neither the "bad guys" nor the "good guys" gain exclusive benefit from technological advances; everyone does. :)

    Regarding the particulars of our security model, a not uncommon misconception is that a user signs into our website to access their data. However, that's not actually the case. Certainly a lot of websites will have you do that, because their only security measure is authentication, while 1Password uses encryption to protect the data. So with those websites you're literally sending your credentials to them to prove to them who you are. 1Password, on the other hand, works the same way "in the browser" as it does anywhere else: you're running a client app on your device which does everything locally. You authenticating just gets you the encrypted data in your account from the server, which you can then decrypt locally on your device to access, encrypt any changes you make, and send them back.

    We use the Secure Remote Password protocol to ensure that neither the Master Password nor Secret Key are ever transmitted, and don't need to be in order to authenticate, etc. You can learn more in the white paper:

    1Password Security Design

    And there's more info on our SRP implementation (which is open) here as well:

    Developers: How we use SRP, and you can too

    I hope this helps. Be sure to let us know if you have any other questions about 1Password! :)

  • Mork
    Mork
    Community Member

    OK. It's going to be a big step for me to store my most secure data in the cloud so I needed to follow up.

    Thanks!

  • ag_ana
    ag_ana
    1Password Alumni

    @Mork:

    Absolutely understandable, and let us know if you have any other questions :)

This discussion has been closed.