Question about security. Again.
Could you please explain again what is more secure to have a subscription and keep all my data on your server or to have standalone license and keep all data locally. I understand that there is no 100% secure system. But how do you protect my data in the following situations:
1. Suppose your organization has a security breach and all user data leaked to someone (like in case with yahoo, TARGET you name it). How difficult it would be for a person or organization who get these data to use it.
2. Say, hypothetically, one of your employer will have some kind of problem and this person decided to sell your users data to some else.
1Password Version: 6
Extension Version: 6.2.333d
OS Version: windows 10
Sync Type: 1password account
Comments
-
Hi @valermit - Great questions and I'll be happy to address your concerns.
With our 1Password.com accounts, all of your data is encrypted using a randomized Account Key in conjunction with your Master Password. We don't store account keys or master passwords since it would compromise the security of our users. We don't want anyone to have access to the keys to your account including us. Therefore, if you were to ever loose or forget your Account Key or Master Password we can't reset this information since we don't have it.
The Account Key is used to strengthen things even further. If you have a weak password, it's very unlikely someone will be able to access your data because the Account Key is a 128-bit string of characters that's generated locally when you set up your account. It never leaves your device, and we ask that you print it out to have a copy in case you need it later — you're probably not going to remember the whole thing. ;)
It’s great to have a Master Password and Account Key protect your data, but they also need to communicate with the server to access your data, so we use three layers to protect things at rest and in transit. The first layer is based on your Master Password and Account key, which are used to derive a secret that is used to securely encrypt all of your data, both at rest and in transit between your devices and our servers. The second layer is based on the Secure Remote Password protocol. It allows your devices and our servers to make sure they are who they say they are. This provides an additional layer of protection against attack. The third and final layer is the standard TLS/SSL protocol. This layer provides a final layer of encryption and also allows your web browser to indicate that you were communicating directly with a 1Password web server. If you'd like to learn more about the security of 1Password, head to https://1password.com/security.
As an employee, I don't have access to any of your data. I can't delete your account, I can't view any data stored within your account. Furthermore, 1Password is funded by you not advertisers or investors. Last but definitely not least, we have sustainable prices, so we can serve you for years to come without exploiting you or your data. It’s possible for a company to cut corners on pricing, but then they might need investors’ money, a buyer with deeper pockets, or — worst of all — advertising money at the expense of your privacy. We have gone out of our way to build 1Password so that we have no information about your data or about how you use 1Password. It is not merely that we choose not to collect or use data about you; we have designed our systems so that, for the most part, we don’t even have the capability to collect data about you or how you use 1Password.
I hope this helps and let us know if you have any additional questions. I'll be happy to help out. Have a fantastic day :-)
0 -
Thank you very much for your answers. I really appreciate this.
0