Encription in cloud
1Password makes the claim that our passwords stored in their cloud are safe even that 1password.com itself cannot decrypt them because to do so requires both our login password to 1password.com, which they have, and the magic key, which they say they don't have. But how do we know that they don't have the magic key since they generated it and sent it to us? How could we know for sure that they haven't retained the magic key somewhere?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
How cam you know anything about a program for sure? Without knowing the code in full.
But the secret key was not sent to you from 1password.com. It is generated locally. But how can you trust that information?
0 -
Yup. There is some faith required. And they don't have either component of the password, not the secret key and not the password (if you have faith).
0 -
Without knowing the code in full.
Even then you have to trust that the binaries you're running were compiled from the supplied code (or compile yourself). For information on what we know, what we don't know, and how we protect what we have, please see this guide:
Ben
0