1Password security model vs the competition

First, a simple question: Where does 1Password store my account data? My impression is that my encrypted vaults (containing stuff like the login name and password for my bank account, my credit card info, secure notes etc) are on your servers, but the encrypted Secret Key is only stored locally -- and that the master password or passphrase isn't stored anywhere at all. Is that right?

.

Now, about that Secret Key.

As far as I can tell, Bitwarden -- which I rather like in many respects -- relies exclusively and completely on my passphrase to protect my account. I can go to a computer in a public library, open Bitwarden's website and, since I know my username and passphrase, I can access all my account data. And if I can do it, anybody else can, too. Puts an extremely heavy burden on the passphrase! Bitwarden supports 2FA and serious Bitwarden devotees keep mentioning this to me on reddit and Twitter -- but Bitwarden does not require 2FA and I don't use it with Bitwarden for two reasons. First, it's a PITA -- and I might say that this is the end of the story as far as my wife is concerned. And second, I'm not a fan of "true" second-factor authorization involving say a Yubikey or a distinct third-party TOTP-generating app like Authy because of the serious potential of locking myself out of my account. (Bitwarden does have something it calls the "Fingerprint Phrase" but I don't understand what its purpose is. It is clearly NOT like the 1Password Secret key.)

RememBear uses a secret key and it seems to work much the way 1Password's does. I am very fond of RememBear's UI and I like the locally-stored secret key idea. As far as I can tell, only 1Password and RememBear use a secret key in this way.

As I said, since I do NOT use 2FA with Bitwarden, I believe that anybody who (somehow) learns the master passphrase I use for Bitwarden (and knows my login email, which isn't hard to guess) can get complete access to my Bitwarden account. On the other hand, the following seem to me to be true statements about 1Password (and coincidentally also about RememBear):

  • Say a tech-savvy burglar steals my laptop -- on which I have 1Password installed and on which my Secret Key has been saved. So long as the burglar doesn't hit me over the head as I'm logged into my computer, to get into my 1Password vault, the burglar first has to get past Windows Hello (to gain access to my device and decrypt the SSD); and then he/she will also need to know my master passphrase to access my 1Password vault. So the unstored passphrase protects access to my vaults from my own devices. Correct?
  • On the other hand, even a bad guy or gal who knows my 1Password master passphrase won't be able to do anything with it on his or her own computer, without also having the Secret key. So the Secret Key protects access to my vaults from anybody else's devices. Right?
  • Anybody who somehow got access to the 1Password servers would get nothing but vaults that could not be decrypted without BOTH my master passphrase and my secret key. Right?

Thanks.


1Password Version: 8.1.0-66.BETA
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: Not Provided

Comments

  • ag_anaag_ana

    Team Member

    Hi @williamporter!

    My impression is that my encrypted vaults (containing stuff like the login name and password for my bank account, my credit card info, secure notes etc) are on your servers, but the encrypted Secret Key is only stored locally -- and that the master password or passphrase isn't stored anywhere at all. Is that right?

    This is correct :+1:

    So the unstored passphrase protects access to my vaults from my own devices. Correct?
    So the Secret Key protects access to my vaults from anybody else's devices. Right?
    Anybody who somehow got access to the 1Password servers would get nothing but vaults that could not be decrypted without BOTH my master passphrase and my secret key. Right?

    This is also correct. I am quoting this from our documentation page on the Secret Key:

    • Your Master Password protects your data on your devices. Someone who has access to your devices or backups won’t be able to unlock 1Password without your Master Password, which only you know.
    • Your Secret Key protects your data off your devices. Someone who attempts a brute-force attack on our servers won’t be able to decrypt your data without your Secret Key, which we never have.

    You can find the whole page here:

    About your Secret Key

  • Thanks for that (very quick!) confirmation of these various points. I used 1Password several years ago, am looking at it again (now that the new version is coming for Windows) and when I search for info about 1Password, I find some old info and I'm not sure whether it's still valid. You've helped me quickly get up to date. Much appreciated.

  • ag_anaag_ana

    Team Member

    You are very welcome @williamporter! Let us know if you have any other questions :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file