No salting and hashing for you?

George1pwGeorge1pw
Community Member

Hello,

We are currently evaluating a password manager for our SMB. One review site claims one of your competitors is a bit better on one item, because they use salting and hashing, implying 1PW is less secure because 1PW doesn’t do that.

I guess it will come up in a discussion as it pops up in search results. I find it difficult to believe 1PW wouldn’t use an encryption mechanism with similar functionality. Could you please point me to a whitepaper or a blog item where the encryption mechanism is explained?

Thanks.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • Scott.S_1PScott.S_1P

    Team Member

    Hi @George1pw,

    Great question! We have a few different resources on the 1Password security model and how we use Secure Remote Protocol to authenticate you against your 1Password account without us ever knowing what it is:

    I hope this information helps. Be sure to let me know if you have any questions.

  • Scott.S_1PScott.S_1P

    Team Member

    Hi again @George1pw,

    I hope you had a good weekend. I wanted to follow up to further discuss SRP vs Salting and Hashing, since it feels like the review site wasn't as detailed as it could have been. Both are methods to protect account credentials during registration and authentication, and both can be used to build a secure authentication system, but I generally feel that SRP is better. Here's why:

    • When using SRP, your password never leaves your device. It's impossible for the server to mistakenly leak your password before or after the salting and hashing process.
    • SRP authenticates the server to the client, in addition to authenticating the client to the server. This prevents man in the middle attacks from capturing and using your sign-in details.
    • SRP doesn't rely on a secure communication channel. If a third party is able to read the data being sent between the client and server, they still cannot learn anything about your credentials, nor will they be able to reuse the data to sign in as if they were the real client.
    • It's worth reminding anyone else who reads this in the future that both SRP and salting/hashing are used as a part of authentication systems, and none of this discussion is related to the encryption of passwords or other data stored within a 1Password vault.

    I don't know the internals of BitWarden like I do for 1Password, so I can't really comment on which is better in this regard, but 1Password's use of Secure Remote Password (SRP) is a wise and very secure option that keeps your account extremely secure.

    As always, let me know if you have any questions.

    Cheers,

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file