To protect your privacy: email us with billing or account questions instead of posting here.

Questions regarding security

marius_te
marius_te
Community Member
edited June 2018 in Memberships

Hi there, I have a few question regarding the 1password subscription security:

I used the standalone license of 1password for a few years and I’m very happy with it. The main thing about it is that I trust its secure implementation. There is no and might never be a perfectly secure system but I understand and trust the system in which i store my passwords in a encrypted file on dropbox and I and only I have the master code to decrypt it locally on my devices.

Today I wanted to try out the new version of 1password in the subscription model because I think the 43$ per year are worth having the software for Mac and Windows with future updates.

When I wanted to sign up for the trial in the browser the site wanted me to already set the master code which made my a bit suspicious. When I was finished entering my details I was asked to save the emergency kit which includes my secret key.

I considered switching from the dropbox sync to the subscription model to get new updates and support the developers of an app which I use daily across multiple devices and operating systems, but the signup process today made me lose some of the trust to the devs of 1password.

I should elaborate: The main security principle of 1password in its current form is quite simple and can be found in the whitepaper:

https://1password.com/files/1Password for Teams White Paper.pdf

Basically you need three components to decrypt your password vault:
1. The encrypted vault
2. The master key
3. The secret key

When I activate the sync to the agilebits servers all three components are or were at some point on the servers of 1password. The encrypted vault through the sync, the master key during account creation and the secret key when the website send my the emergency kit (which means that the secret key was generated on 1passwords servers).

I want to emphasise that it is not about the subscription model, I’m glad to pay for software that I use, my concerns are about security.

This leaves me with a few questions:

  1. Why does 1password prompt me to send my master code to their servers during account creation. This seems to be like an unnecessary security risk. Additionally I see no reason why 1passwords server would ever need my master code. If you want to use it as authentication why compromise the master code when you can just set up a simple email and password combination which has nothing to do with the password vault. It should be pointed out that 1password claims that “Your Master Password is never stored alongside your 1Password data or transmitted over the network” which is just not true considering I had to enter it during the setup of the membership into the web browser.

  2. Why does 1password generate the secret key on their server and send it to me via a web browser. This has the obvious problem that:
    a) 1password has now the second part to their “two-secret key derivation”
    b) This contradicts 1passwords’ own white paper claims that “our Secret Key is generated on your computer when you first sign up, and is made up of a non-secret version setting, (“A3”), your non-secret Account ID, and a sequence of 26 randomly chosen characters.”, also from 1password website: “Your Secret Key was created on your own device. We have no record of your Secret Key and can’t recover it.”. My secret key was clearly not generated on my computer because the whole setup process happened within my iPads’ browser. Additionally it was sent over the internet from 1password to me as pdf.

  3. I want to continue to use 1password in its newest version. Is it possible to pay the subscription and continue to use the dropbox sync without transmitting 1password all necessary ingredients to decrypt my password vault?

  4. Is it possible to use the 1password sync without giving 1password server my master code and the secret key. I don’t have to give dropbox my vault password for them to store my vault either.

I don’t believe agilebits will decrypt any password so something like that, I just think security should be safe by design and not by trust. And their white paper clearly shows they know what they are doing. I wouldn’t have had the slightest concern it the website didn’t ask for the master password and sent me the secure key and immediately wanted to sync my 300+ passwords to the 1password server when I logged in into the iPhone app.

These questions are not intended to spread “everything-is-bad” mood, they are meant to voice (I believe) serious concerns and I’m open to be convinced that everything is different and I misunderstood and am totally wrong. I’m not an security expert after all, just a concerned user.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @marius_te: Thanks for reaching out! I'm glad you took the time to, and to check out the security white paper, but it sounds like you missed some important details. You said:

    When I activate the sync to the agilebits servers all three components are or were at some point on the servers of 1password. The encrypted vault through the sync, the master key during account creation and the secret key when the website send my the emergency kit (which means that the secret key was generated on 1passwords servers).

    Thankfully, literally none of that is true. In fact, 1Password.com already works the way you say you want it to (with some additional security measures in place to boot). To clarify, all the crypto is performed locally on your device, whether in the native app, or in the "app" running in your browser. Only encrypted data is sent to the server and stored there, and at no point are your Secret Key or Master Password, which are needed to decrypt your data, transmitted to us. I appreciate that may sound fantastical if you haven't yet finished reading the white paper, but I encourage you to do so. it will all make sense in the end.

    So maybe you're to the point where to see that we're doing all of this locally, but still, the natural question is "How is the server not getting my credentials if I am signing in through the browser?" The answer is Secure Remote Password protocol: only a derived "verifier" is transmitted (which allows the server to verify you without you revealing these secrets to it). There's some more information (and code!) in Rick's awesome blog post on the topic, if you're interested:

    Developers: How we use SRP, and you can too

    Because you're right about the rest: we _don't" need your Master Password at all, and really really don't want it! It would only be a liability, and isn't necessary for you to use 1Password. Moe to the point:

    “Your Master Password is never stored alongside your 1Password data or transmitted over the network” which is just not true considering I had to enter it during the setup of the membership into the web browser.

    It's 100% true, and it's also been verified by independent auditors and security researchers. Our design is very open (and the code for our SRP implementation is open source). :glasses:

    My secret key was clearly not generated on my computer because the whole setup process happened within my iPads’ browser.

    No, it definitely wasn't. Your iPad (and Safari, thanks to WebCrypto) is more than powerful enough to do this itself. It doesn't need the server. After all, it can run the full 1Password app, and games that crank insane 3D graphics rendered in real time — and heat up your lap in the process. :naughty:

    Additionally it was sent over the internet from 1password to me as pdf.

    Nope! This is generated on the fly in the web app, again, running locally on your device. :sunglasses:

    I want to continue to use 1password in its newest version. Is it possible to pay the subscription and continue to use the dropbox sync without transmitting 1password all necessary ingredients to decrypt my password vault?

    It is possible, but hopefully at this point you'll appreciate that you don't have to give up the convenience of 1Password.com for security; you can have both. :innocent:

    Is it possible to use the 1password sync without giving 1password server my master code and the secret key. I don’t have to give dropbox my vault password for them to store my vault either.

    Yep! That's how we've designed it.

    I don’t believe agilebits will decrypt any password so something like that, I just think security should be safe by design and not by trust. And their white paper clearly shows they know what they are doing. I wouldn’t have had the slightest concern it the website didn’t ask for the master password and sent me the secure key and immediately wanted to sync my 300+ passwords to the 1password server when I logged in into the iPhone app.

    I'm sorry for the confusion that caused. But we do want 1Password to work seamlessly for people, so we don't make folks go through a whole song-and-dance to slap them in the face with the technical complexity. After all, they just want to to work.

    These questions are not intended to spread “everything-is-bad” mood, they are meant to voice (I believe) serious concerns and I’m open to be convinced that everything is different and I misunderstood and am totally wrong. I’m not an security expert after all, just a concerned user.

    Absolutely! You're right to be concerned about where you put your data and who could potentially have access to it. We are too, because we use 1Password ourselves! Regardless of our good intentions, the last thing we want is to be in a position to be used to get to our customers' data, or for a rogue employee to do it, so we've designed 1Password.com so that simply isn't possible. To sum it all up:

    1. Your 1Password data is encrypted locally on your device before it is transmitted.
    2. The server receives only an encrypted blob.
    3. Your Master Password is never transmitted.

    You might think I'm talking about 1Password.com specifically there, but that's the case no matter what 1Password setup you use — Dropbox, etc. — the only difference being that 1Password.com data is also encrypted using the 128-bit randomly generated Secret Key, which is also never transmitted to us. So there's an additional layer of security there as well.

    Indeed, when you use 1Password, AgileBits never has access to your data, regardless of the setup you choose. Even with 1Password.com, your data is encrypted on your device, so all the server ever ends up with is an encrypted blob. And since the Secret Key is generated locally, your Master Password is only known by you, and neither is ever transmitted to us, only you have the means to decrypt the data.

    Suffice to say, if someone gains access to our servers and dumps the full database (we've designed 1Password.com with this in mind), they simply don't have what they need to decrypt it, as each individual user alone has the keys to their data. So an attacker won't have that and can't get it from AgileBits, even if they get everything else.

    I hope this helps. Be sure to let me know if you have any questions at all! :)

  • marius_te
    marius_te
    Community Member

    Hi @brenty, thank you for your quick and detailed response; your answer has alleviated most of my concerns and I’m honestly happy about to hear that I was wrong.
    The biggest relief was the fact that the secure code and the emergency pdf was created locally. I’m still not 100% sure why I had to enter the master code in the webform in the first place but I assume now the implementation was designed the way you described. Indeed I haven’t finished reading the whole white paper, but I’ll probably finish it today.

    Im now confident enough to try out the new version while keeping my vault in my dropbox and its backups in my (own) local and remote servers (I now know that my master password is not transmitted, but even with the most secure implementation in the world I can’t bring myself to authenticate with my master password to a server on the internet without a very, very good reason; it just needs one exploit in the browser, the webform or the implementation...). After the trial period I will decide if I go the subscription or stand alone route.

    Just one quick question. Although I don’t think I have a need for those “extra features” the vault sync to the 1password servers offers (I assume they are the reason we have to authenticate ourselves with the master code) but I’m curious what they are. Do you have a link to the list of online features enabled by the master code or something similar, the only thing I could find was that passwords could be viewed and edited on the 1password site (which I don’t want).

    Cheers, and thanks again :)

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2018

    Hi @brenty, thank you for your quick and detailed response; your answer has alleviated most of my concerns and I’m honestly happy about to hear that I was wrong.

    @marius_te: Hey, you're very welcome! Thanks for bearing with me. I didn't want to come off as "you're wrong", but in some cases we can certainly be glad to be proven so! :chuffed:

    The biggest relief was the fact that the secure code and the emergency pdf was created locally. I’m still not 100% sure why I had to enter the master code in the webform in the first place but I assume now the implementation was designed the way you described. Indeed I haven’t finished reading the whole white paper, but I’ll probably finish it today.

    I didn't expect to, but I enjoyed reading it. I hope you do too, and that you'll let us know if you have additional questions. :sunglasses:

    Regarding entering the Master Password into the 1Password.com web app, I am curious: how would you envision us doing it differently? Maybe I'm misunderstanding you, but it seems to me that there isn't anywhere else that would make sense to enter it but right there in the app when setting up the account. Let me know what you had in mind though.

    Im now confident enough to try out the new version while keeping my vault in my dropbox and its backups in my (own) local and remote servers (I now know that my master password is not transmitted, but even with the most secure implementation in the world I can’t bring myself to authenticate with my master password to a server on the internet without a very, very good reason; it just needs one exploit in the browser, the webform or the implementation...). After the trial period I will decide if I go the subscription or stand alone route.

    Those are really good points. If it helps, you can verify that you're connected to 1Password.com, and that the website security certificate is legitimate. And, after account creation, you can use the native apps, which are digitally signed by us. Maybe this is what you were alluding to earlier: you'd prefer to be able to create the account in the native 1Password app instead of the web app. That's something we're working on, and it's already possible if you sign up through 1Password for Mac or 1Password for iOS, since we can use App Store subscriptions there.

    Just one quick question. Although I don’t think I have a need for those “extra features” the vault sync to the 1password servers offers (I assume they are the reason we have to authenticate ourselves with the master code) but I’m curious what they are. Do you have a link to the list of online features enabled by the master code or something similar, the only thing I could find was that passwords could be viewed and edited on the 1password site (which I don’t want).

    You can find more details here:

    What are the benefits of a 1Password membership?

    But Travel Mode, automatic offsite backup and item history, and intra-account sharing and recovery are my personal favourites. :)

    Cheers, and thanks again :)

    Any time! Thanks for you passion for security, and for choosing 1Password! I hope you enjoy your weekend. :chuffed:

  • marius_te
    marius_te
    Community Member
    edited June 2018

    @brenty
    I'm glad to hear that you working on a account creation in the app.

    Regarding your question:

    Regarding entering the Master Password into the 1Password.com web app, I am curious: how would you envision us doing it differently? Maybe I'm misunderstanding you, but it seems to me that there isn't anywhere else that would make sense to enter it but right there in the app when setting up the account. Let me know what you had in mind though.

    I personally would prefer if I would never have to authenticate with my master password against a web form like it was before. I would only use it locally on each of my device to decrypt my password vault (locally). If you want to offer your users the ability to decrypt their password on the 1password website then this could still be an option; authenticate on the website with a email and password combination and the users who want their password accessible on the website additionally with their master password.
    Maybe I’m overcautious but the master password is (when I’m not mistaken) the equivalent of a private key. And I am extremely hesitant to enter a private key, holding all my passwords, logins, bank accounts, licenses and (other) private keys into a web form. This hesitation might be unfounded, it might be not - i don’t know.

    Sure, when I enter the password locally into the 1password app on the iPhone or Mac there might still by potential attack vercors but a dedicated app at least feels much safer than a web form.

    But I understand that I might be a special case and I understand 1password has to offer a service which has to be as accessible as possible to as much users as possible. Like I said previously, I’ll try the new software version but I’ll use for my (dropbox) vault a different master password than for my 1password login to continue to use 1password as I have before.

    Thanks again for your time and I hope I could answer your question.

    P.S.: in case I described my problem with the master password - account thing not properly; my desired solution would be to seperate the encryption of my valut (master password) and the 1password login completely, like it was with previous versions of 1password. I don't want to have the same password for both things because one is just a weblogin the other one is a very important private key.

  • We would definitely like to bring more of the functions from the web apps into the native apps, and/or provide a codesigned wrapper for the web app. We just haven’t gotten there quite yet. Browsers are a hostile environment, and we do recognize that. I don’t see us separating the Master Password for account functions from the Master Password that decrypts your data, but I could be wrong. :)

    Ben

  • AGAlumB
    AGAlumB
    1Password Alumni

    @marius_te: I don't mean to be a pain, but I do want to make sure we're on the same page here:

    I personally would prefer if I would never have to authenticate with my master password against a web form like it was before. I would only use it locally on each of my device to decrypt my password vault (locally). If you want to offer your users the ability to decrypt their password on the 1password website then this could still be an option; authenticate on the website with a email and password combination and the users who want their password accessible on the website additionally with their master password.

    Just to clarify, that's how it works: the 1Password.com web app is run locally on your machine, not on the server; so, quite literally, the Master Password is not being transmitted, and all of the crypto that's happening to display your data is also happening locally on your device as well. So this isn't really a "web login" in the sense you're thinking at all. It is unlike almost any other "web form" though (where all of this is done on the server, and often the password or a hash of it is being transmitted over the internet), so you're right to question it. I'd encourage you to check out the security white paper for more details and let us know if you have any questions.

    That said, as Ben mentioned, we recognize that there are other concerns when it comes to using a browser-based app, so we do want to make it possible to not use the web app at all in the future. Thanks for letting us know this is something you'd like as well! :)

This discussion has been closed.