What sort of protections do we have if 1Password is hacked? Can our vaults be decrypted?

tx2005
tx2005
Community Member

So I'm pretty new to password managers and I settled in on 1Password after researching many options. Last night I came across some discussions from privacy/security conscious people, and many said that solutions like 1Password and LastPass have serious security flaws (I guess due to our vaults being stored in the cloud).

Can anybody here give me some comfort to know my data is safe, even in the worse case scenario of a hack here at 1Password? What sort of protections do we have to ensure our Master passwords and vaults are safe? Also, doesn't having 2FA set up with your 1Password account also provide additional security?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @tx2005,

    That's a great question. One that I'm going to have trouble not getting into the weeds trying to answer... so I'm going to try to keep it relatively high level and please feel free to ask for more details on any points that I mention.

    To put it bluntly: we assume that 1Password one day will be hacked. That may come as a shock to you, but it's important that we think that way. Don't get me wrong, we'll work really damn hard to avoid that, but when designing 1Password we have to keep this in mind.

    It was critical for us to find ways of protecting our customers if ever that was to happen even before we ever built 1Password.com. It was step 0. As you've likely read elsewhere, your data is encrypted by a key derived from your Master Password. So it's important to have a really strong Master Password. This way if ever an attacker got into our server the likelihood that they can decrypt your data is much smaller. Much smaller isn't quite good enough though. And that's why we have the Secret Key. You can think of the Secret Key as being an extension of your Master Password for your data when on our servers. While a good Master Password would make your data very difficult to crack, the combination of the Master Password + Secret Key makes it nearly impossible (I have to qualify that with 'nearly' because nothing is impossible).

    We also use additional protections on our server like Amazon's KMS encryption keys to further encrypt certain pieces of data which would make it even harder for the attackers to get anything useful.

    We try very hard to make sure that the data that's sitting on our servers is as useless as possible without your Master Password & Secret Key.

    Also, doesn't having 2FA set up with your 1Password account also provide additional security?

    Two-factor authentication can add some security, but not in the case of 1Password getting hacked. Where 2FA helps is that if someone somehow obtains both your Secret Key and Master Password, they won't be able to sign in to your 1Password account from a new device. That's useful, but it's there to protect against something different than 1Password having been compromised.

    Does that answer your question?

    Rick

This discussion has been closed.