1Password Cloud Question

Mork · May 2021

I'm still deciding on moving my passwords to your cloud option.

A couple concerns:

With high Q-Bit computers coming in the next few years which could render most current encryption useless, are you planning for this eventuality already or does it really not apply for some reason?
When I enter my cloud super secret password, what prevents you at that point from capturing it? As far as I can see, there isn't any way (could be my misunderstanding) to truly not share all my password information with you in some way. Seems like an obvious vulnerability if I understand how this works on your site.

Thanks in advance for your reply.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Mac 11.4
Sync Type: cloud

ag_ana · May 2021

Hi @Mork!

I just wanted to let you know that I have sent your questions directly to our security team ;)

AGAlumB · May 2021

@Mork: 1Password's security is something we've always iterated on (pun sort of intended) with things like PBKDF2 iterations increasing over the years to raise the bar as computational power has increased, as well as adopting different technologies that can provide additional security benefits; so that's something we'll continue to do as technology advances -- whether that ends up being quantum computing, neural networks, or anything else: neither the "bad guys" nor the "good guys" gain exclusive benefit from technological advances; everyone does. :)

Regarding the particulars of our security model, a not uncommon misconception is that a user signs into our website to access their data. However, that's not actually the case. Certainly a lot of websites will have you do that, because their only security measure is authentication, while 1Password uses encryption to protect the data. So with those websites you're literally sending your credentials to them to prove to them who you are. 1Password, on the other hand, works the same way "in the browser" as it does anywhere else: you're running a client app on your device which does everything locally. You authenticating just gets you the encrypted data in your account from the server, which you can then decrypt locally on your device to access, encrypt any changes you make, and send them back.

We use the Secure Remote Password protocol to ensure that neither the Master Password nor Secret Key are ever transmitted, and don't need to be in order to authenticate, etc. You can learn more in the white paper: