How secure is 1Password for Families?
We all know that 1Password is traditionally very secure. I'm in full control of my data and it absolutely cannot be decrypted with the password.
But what about 1Password for Families? If I understand correctly, the vault can be displayed in the browser. Doesn't this mean that Agile has the ability to decrypt the vault? I asked this question direct to customer support when Families was announced, but never got an answer.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
tekcor asks: "If I understand correctly, the vault can be displayed in the browser. Doesn't this mean that Agile has the ability to decrypt the vault?"
I'm not an AgileBits employee and I'm not an expert at encryption or any related subjects, but I'm 99.99% sure the answer to your question is NO. Your password files sit on a remote server somewhere, thoroughly encrypted. When you connect via secure (https) connection in your browser, you'll have to provide the decryption key (your 1Password superpassword). Without that superpassword, nobody else can access your file—not AgileBits, not even the FBI.
(Hope I'm right. Pretty sure I am.)
Will
Addendum: NOTE that it's always been the case that your superpassword for 1Password is super important. I don't know what, if any, additional levels of protection (say, two-step authentication) AgileBits provides for 1P for Families. So it's critically important for that superpassword to be long and strong and for you not to share it with anybody, not to leave it lying around on a sticky note, etc.
0 -
Hi @tekcor, I'm not with AgileBits but as @williamporter said, the design of Teams and Families is such that AgileBits does not have access to your account. They do store the encrypted data, but it is only ever decrypted in your browser (or in the local applications for platforms with support) and requires both your Account Key which they randomly generate (that's why it's important to keep a Teams or Families Emergency Kit printed from your account somewhere safe) and your Master Password, neither of which are sent unencrypted to AgileBits.
There should be some additional security information at https://support.1password.com/teams-faq/ and there's a large, 60+ page Whitepaper on Teams and Families security that likely has between everything you wanted to know and way more than you wanted to know, depending on your level of comfort with cryptography and math :-)
0 -
Some great info here. The links dszp posted should provide any additional insight, but if you have futher questions please let us know!
Ben
0 -
Can you clarify why encryption in the browser was so frowned upon before, and is now acceptable?
0 -
I'm still a bit unsatisfied, even after reading about the account key.
Apparently I can reset the password of a family member that's lost theirs. How is that possible if the password + account key comprise the encryption key?
0 -
Can you clarify why encryption in the browser was so frowned upon before, and is now acceptable?
I'm not sure I understand the question. Could you provide some context? In what way was encryption in the browser frowned upon?
Part of the answer may be "because of the Web Cryptography API," which is relatively new, but it would help to understand the question better before giving a more definitive answer.
Apparently I can reset the password of a family member that's lost theirs. How is that possible if the password + account key comprise the encryption key?
That is because you, as an account owner, hold all of the keys to the kingdom. AgileBits cannot perform this kind of recovery because we do not. As mentioned in our recovery guide:
We can’t help you, but you can help yourself.
1Password for Teams Admin Guide: Account Recovery
Ben
0 -
Thanks, that seems to be the answer I was hoping for. So decryption happens in the browser/client side? Even as a skilled web developer, that's very impressive.
0 -
For further discussion on my question and clarification on what I was referring to, see this thread: https://discussions.agilebits.com/discussion/60939/can-you-elaborate-on-potential-browser-javascript-vulnerabilities-for-families-teams
0 -
so, having developed a browser extension in the past, and having also developed a web-app using GWT, I think it actually would be possible for the AgileBits code running in the browser extension to, after decrypting a password, send it back to the agile server if they implement proper CORS protocols. I could be wrong.
0 -
Indeed, it is technically possible, but it would be a death knell to 1Password if we ever did that. It's really no different than when you enter your Master Password in the Mac app, for example. If we were nefarious, we could collect that, but we would go out of business faster than lightning. As this is how we make our living, we are highly motivated to never do that. The idea of us transmitting user passwords to something other than the app/browser that you are using is just anathema to everything we do.
However, as LeVar Burton used to always say on Reading Rainbow, "You don't have to take my word for it…" 1Password is constantly subject to scrutiny (especially its network traffic) by outside security experts.
0 -
good answer. so, am I being dumb: I noticed that, perhaps in the confusion of importing passwords from lastpass and setting up my vault, etc., I inadvertently created an entry for 1password itself including the master password. Convenient for logging into the site, but probably a Bad Idea. (?)
0 -
I actually have different Master Passwords for my local vault(s), my AgileBits team account, and my family account. I save the Master Passwords for my team and family accounts in my local vault so I can easily access them with nothing but a local backup. However, I may consolidate them in the future by changing my Master Passwords for my team/family accounts to be the same as my "main" one. It's called 1Password, after all, not 3Password. I just haven't gotten around to it. :)
You may be interested to read this other thread, which I just came across a moment ago:
Should existing 1Password users store Teams master password in their vault?
0