Question about security of providing master password on account creation
I'm a longtime user of the standalone iOS app. I'm trying to set up a 1Password account so that I can try out the Windows application, since it's my understanding it's unfortunately not available without an account. I was taken aback when the sign-up process asked for my master password. From reading this forum, it seems the expectation is that I should enter the same master password I currently use for my iOS app. According to the 1Password security pages, the master password (1) is never transferred over the internet and (2) is never available to AgileBits. But if I have to enter my master password into a web form to create a 1Password account, how could either of those two facts be true? Isn't the master password getting sent to AgileBits over the internet during account creation, and if so, how does that maintain the security of my password?
Thanks.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hey @asking_questions! Sorry about the confusion. You can use 1Password for Windows without a membership if you'd like, it just doesn't include the benefits of a membership. When signing up for a membership, you should use the Master Password you have already, unless it's too short for 1Password.com, in which case you should create a stronger one.
According to the 1Password security pages, the master password (1) is never transferred over the internet and (2) is never available to AgileBits. But if I have to enter my master password into a web form to create a 1Password account, how could either of those two facts be true? Isn't the master password getting sent to AgileBits over the internet during account creation, and if so, how does that maintain the security of my password?
There are three umbrellas of security in 1Password accounts. ☔ Before all of them is your Master Password and Secret Key. In the standalone version of 1Password, everything is protected by your Master Password and all the security wizardry in the app. But in an account, the Secret Key is used to strengthen things even further. If you have a weak password, it's very unlikely someone will be able to access your data because the Secret Key is a 128-bit string of characters that's generated locally when you set up your account. It never leaves your device, and we ask that you print it out to have a copy in case you need it later — you're probably not going to remember the whole thing. ;)
It’s great to have a Master Password and Secret Key protect your data, but they also need to communicate with the server to access your data, so we use three layers to protect things at rest and in transit. The first layer is based on your Master Password and Secret key, which are used to derive a secret that is used to securely encrypt all of your data, both at rest and in transit between your devices and our servers. The second layer is based on the Secure Remote Password protocol. It allows your devices and our servers to make sure they are who they say they are. This provides an additional layer of protection against attack. The third and final layer is the standard TLS/SSL protocol. This layer provides a final layer of encryption and also allows your web browser to indicate that you were communicating directly with a 1Password web server.
Learn more about how 1Password keeps your data safe no matter where you sync it:
How 1Password protects your data when you use a sync service
Hope this helps!
0
