To protect your privacy: email us with billing or account questions instead of posting here.

The QR code in the "Get the Apps" page and the PDF in the "emergency kit" contain the master key

pmembrey
pmembrey
Community Member
edited October 2017 in Memberships

Hi guys,

It's my understanding that the master key and the master password are never sent to you in the clear and that this is a big part of your security model i.e. as you never see these, you have no possible way of decrypting the vaults.

However, both the PDF in the emergency pack (which appears to be generated server side) and the QR code in the "Get the Apps" page on your site contain the master key. How is this possible when you don't store the master key?

I can imagine that the QR code could be generated locally in the browser and that the master key is stored locally in browser storage, but the PDF doesn't seem to be.

So my question really is, how can the QR code and the PDF contain the master key, when you guys never see it?

Thanks in advance!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    It's my understanding that the master key and the master password are never sent to you in the clear and that this is a big part of your security model i.e. as you never see these, you have no possible way of decrypting the vaults.

    @pmembrey: Correct. We only have the encrypted database, not the Master Password (which you chose) or Secret Key (which was generated locally on your device).

    However, both the PDF in the emergency pack (which appears to be generated server side) and the QR code in the "Get the Apps" page on your site contain the master key. How is this possible when you don't store the master key?

    It's in your browser, because you entered it there; otherwise you wouldn't be able to access your account or data stored in it. This is kept in the browser's local storage unless you deauthorize it, or check the "This is a public or shared computer" box when signing in.

    I can imagine that the QR code could be generated locally in the browser and that the master key is stored locally in browser storage, but the PDF doesn't seem to be.

    Yep! It's created on demand right in your browser. The entire 1Password.com web app runs locally there.

    So my question really is, how can the QR code and the PDF contain the master key, when you guys never see it?

    See above. Perhaps more importantly, even when you sign in, your Master Password and Secret Key are never transmitted to us. We're using Secure Remote Password protocol so that your device is sending us a "verifier" that mathematically proves you know these secrets without actually revealing them to us. Definitely check out the white paper for more details. Cheers! :)

This discussion has been closed.