Website Vault Encryption?
Hello,
I am currently working for an IT Company and we want to talk a few of our clients into using your sync service to keep track of all of their passwords. I personally use it with my family and love it. My question is in regards to using your sync service and having access to the vaults online. I understand its under a secure HTTPS connection with an SSL certificate. My understanding is even when my data is encrypted on your server when I login online to the secure site, even for split seconds isn't their a period of time that my data is vulnerable?
If I understand correctly thats what happened to Dashlane when they were hacked. What makes the security different for 1Password? If your server is hacked like theirs was. When I am viewing my vault online within my browser, how is the transmission of data through 1password kept safe and encrypted throughout the whole process and protocol of going from your servers to my browser?
Any help would be greatly appreciated!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hey @macstein23!
Thank you for taking the time to write in. I'm glad you and your family have enjoyed using 1Password. :)
Those are healthy concerns to have. I'd like to address this point, in particular:
What makes the security different for 1Password? If your server is hacked like theirs was.
Our main differentiator is something called the Account Key. In the standalone version of 1Password, everything is protected by your Master Password and all the security wizardry in the app. But with an account, the Account Key is used to strengthen things even further. If you have a weak password, it's extremely unlikely someone will be able to access your data because the Account Key is a 128-bit string of characters that's generated locally when you set up your account. It never leaves your device, and we ask that you print it out to have a copy in case you need it later — you're probably not going to remember the whole thing. ;)
We also use an enhanced version of the Secure Remote Password protocol to prevent Man-in-the-Middle attacks; your Master Password and Account Key are never actually transmitted to or stored by us.
You can read more about how we keep your data safe by reading the draft of our Security White Paper: https://1pw.ca/whitepaper
Hope that helps! :)
0