Why is using a client-side generated secret key not supported yet?

endomorphismus_123
endomorphismus_123
Community Member
edited September 2018 in 1Password 7 for Windows

I've been using 1password for years, absolutely love it, still have the desktop version running with WiFi sync to my iPhone and evaluating 1password 7 but i still think 1password 7 is secure enough for me until 1password allows me to use my own secret key, generated by me - offline - on my machine and is not stored on 1password servers. Currently i can generate (and regenerate) a secret key online in my 1password web account, can go back and see it if i lose it. That's great and convenient, however this is what i consider a main weak point of the entire solution that upon a hack of 1password servers can be exploited to gain access to my passwords and this makes 1password7+cloud a no go for me.

Because i can see my secret key online, it means it's stored somewhere on 1password servers and when 1password gets hacked i can say bye to my encrypted data. Other services like Azure, iDrive etc. offer the ability to generate your own secret key use it clientside to encrypt data that is in transit through the internet and the secret key is not saved server-side.

1password team, when have this in your product? I think having this will make the product a well secure product. Thanks


1Password Version: 7.2.580
Extension Version: Not Provided
OS Version: win10 64bit
Sync Type: Not Provided
Referrer: forum-search:secret key

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @endomorphismus_123: Funny thing, we already have that feature. ;)

    I'm sorry for the confusion. While you of course must be online in order to change anything in your account, none of the actual generation or changing happens on the server. The 1Password.com web app runs entirely in your browser locally, the Secret Key in generated there, and is also never sent to or stored on the server. We're using Secure Remote Password protocol to make that possible:

    Developers: How we use SRP, and you can too

    And that protects you (and us, frankly) from a server breach since we never have the keys to anyone's data. You can learn more about how it all works in the 1Password.com security white paper, and if you have any questions we're here for you. :)

This discussion has been closed.