With 1Password Accounts, where is my data actually *stored*?
I don't want my vaults stored on the Internet itself. That's what "1Password Accounts" actually does, doesn't it?
I mean, I am aware of 1P's security measures, and I do trust them, but it still leaves me cold to think that my 1Password file - and thus, my entire digital life - might be just sitting around on the Web.
And I guess I'm still confused as to what "1Password Accounts" gets me, that my current model does not. Can somebody explain this? Right now, I have 1Password on the Mac, and 1Password on my iOS devices. They sync with each other every time I launch. So what does "Accounts" do, that this does not do?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @Mr. Laser Beam! They are indeed stored on the internet, but not unlocked. ;) There are three umbrellas of security in 1Password accounts. Before all of them is your Master Password and Account Key. In the standalone version of 1Password, everything is protected by your Master Password and all the security wizardry in the app. But in an account, the Account Key is used to strengthen things even further. If you have a weak password, it's very unlikely someone will be able to access your data because the Account Key is a 128-bit string of characters that's generated locally when you set up your account. It never leaves your device, and we ask that you print it out to have a copy in case you need it later — you're probably not going to remember the whole thing. ;)
It’s great to have a Master Password and Account Key protect your data, but they also need to communicate with the server to access your data, so we use three layers to protect things at rest and in transit. The first layer is based on your Master Password and Account key, which are used to derive a secret that is used to securely encrypt all of your data, both at rest and in transit between your devices and our servers. The second layer is based on the Secure Remote Password protocol. It allows your devices and our servers to make sure they are who they say they are. This provides an additional layer of protection against attack. The third and final layer is the standard TLS/SSL protocol. This layer provides a final layer of encryption and also allows your web browser to indicate that you were communicating directly with a 1Password web server.
Learn more about how 1Password protects your data when you use a sync service. You can also read our security white paper to find out how the architecture works.
0 -
So this Account Key is not something that can be easily hacked?
0 -
@Mr. Laser Beam As I mentioned, neither your Account Key nor Master Password are sent to our servers. Decryption happens locally on your device, and your Account Key and Master Password are both required to be present for unlocking to happen.
0 -
Would/could I still use the same master password as I do now?
0 -
Indeed. Though, it's a great opportunity to start using a stronger one if you want to. :)
0 -
_your Account Key and Master Password are both required to be present for unlocking to happen.
This doesn't mean I have to have the Account Key nearby every time I launch 1Password, does it?
When I'm at home, this wouldn't be a problem, but if I'm travelling, would I have to take the Account Key along every time I wanted to use 1P?
0 -
This doesn't mean I have to have the Account Key nearby every time I launch 1Password, does it?
Nope. The Account Key is only used to authorize a new device. Once the device is authorized, you just unlock with your Master Password just like you're used to doing. :)
0 -
If the device is erased or reformatted (for example, an iOS or macOS update), does this affect the key in any way?
0 -
@Mr. Laser Beam: If the device is erased, reset, etc. you'll need to authenticate again using the Account Key to authorize it to access your 1Password.com Account. But doing so does not directly affect the Account Key itself. It won't change unless you choose to regenerate it in your Profile settings. I hope this helps. Be sure to let me know if you have any other questions. You've been asking some great ones! :)
0 -
Your site says that the Account Key never leaves my device and isn't transmitted over the Internet. But what if I sign in from a computer that isn't mine? Such as if it's a public/shared computer (although using 1P on a public machine would probably be a bad idea anyway) or a relative's machine. In that case, wouldn't the key AND the master password have to be sent over the net?
I mean, I can understand why I wouldn't need the key every time I launch one of the apps (macOS or iOS). But if I sign in using a web browser, doesn't that transmit all my data over the net?
Edit: It's the "Secure Remote Password" section on your site that I'm a bit confused about. How is this different from when you log into any other site and enter a username and password? I've read that section many times and I'm still trying to process it...
0 -
Your site says that the Account Key never leaves my device and isn't transmitted over the Internet. But what if I sign in from a computer that isn't mine? Such as if it's a public/shared computer (although using 1P on a public machine would probably be a bad idea anyway) or a relative's machine. In that case, wouldn't the key AND the master password have to be sent over the net?
@Mr. Laser Beam: Well, this is really splitting hairs, but if you're entering your Account Key and/or Master Password on a device which is not yours, then of course it has left your device strictly speaking...but only because you actively used it on someone else's machine. And we're in agreement that this probably isn't a good idea in the first place. :sunglasses:
However, the more important point is that the Account Key and Master Password are literally never transmitted over the internet by 1Password apps or the web interface, regardless of where you choose to use it. This is accomplished using SRP (Secure Remote Password). You can read more details on how all of this works in our white paper, and don't hesitate to ask any other questions you may have! :)
I mean, I can understand why I wouldn't need the key every time I launch one of the apps (macOS or iOS). But if I sign in using a web browser, doesn't that transmit all my data over the net?
If you use login to 1Password.com "normally", the Account key is stored locally in the browser's secure storage. And if you select the "public" option, it isn't stored, and 1Password won't "remember" you at all so that the Account Key is required again next session.
Edit: It's the "Secure Remote Password" section on your site that I'm a bit confused about. How is this different from when you log into any other site and enter a username and password? I've read that section many times and I'm still trying to process it...
Websites are often transmitting the password or a hash of it, even if securely over SSL/TLS/HTTPS, as this is much easier. 1Password.com on the other hand, is performing its cryptographic operations locally within the client — your web browser. You've probably noticed that when you login to 1Password.com its noticeably slower than logging into other sites. That's because the web app is really running in the browser on your machine (and encrypting and decrypting your data there), not being processed by the server and merely sending you HTML and images to display. Literally the data is encrypted on your device so that's all the server ever gets: encrypted data. There's more to it than that of course, but l think that the performance of WebCrypto is a good illustration. :)
0 -
If you use login to 1Password.com "normally", the Account key is stored in the browser's secure storage.
This doesn't mean browser cookies, does it? Because IIRC cookies are not secure.
One more thing: When somebody signs up for a 1Password account and begins moving items into it, those items will disappear from their old location, is that right?
Meaning: Let's say I sign up for a 1P account, link it to my macOS app, then start moving stuff into it via that app. If I left my iOS devices on iCloud sync, would I still be able to use 1P on those devices as normal - i.e. let them keep syncing with iCloud until I'm done setting up my account - or would my stuff start disappearing from iCloud as soon as I began using the macOS app to move my stuff over?
(The reason I ask this is because I'm a bit skittish about setting up a 1P account and I would want to make sure it's all working properly on my macOS app first, just to make sure my 1P data doesn't vanish or something)
Edit: I looked at what your website says about moving items into a 1P account and it says that for those who have multiple vaults (as I do), 1P can't move all the data at once and so I would have to move all items one at a time. So can I copy the items, not move them, just to make sure I have everything in my 1P account before I break all contact with iCloud?
0 -
This doesn't mean browser cookies, does it? Because IIRC cookies are not secure.
@Mr. Laser Beam: Nope. If we were using cookies we couldn't get that kind of granularity or security. ;)
One thing you'll probably notice right away is that a 1Password.com login session breaks easily. We don't want to take any chances of someone hijacking your session, so any time you navigate it has to be an unbroken chain. It's a bit weird to talk about, but I think you'll see what I mean.
One more thing: When somebody signs up for a 1Password account and begins moving items into it, those items will disappear from their old location, is that right?
It depends on what they do. They won't disappear on their own, but if they are copied and deleted from the original vault they will only exist in the 1Password.com Account going forward...unless they are moved back at some point.
(The reason I ask this is because I'm a bit skittish about setting up a 1P account and I would want to make sure it's all working properly on my macOS app first, just to make sure my 1P data doesn't vanish or something)
Completely understandable! Honestly if you're on the fence I'd keep the original vault intact like you mentioned until such time as you decide to go all in on 1Password.com. Let me know if you have any other questions! :)
0