To protect your privacy: email us with billing or account questions instead of posting here.

Using master password to create 1password account?

croald
croald
Community Member

I'm a longtime user since 1password 4, and have just discovered that ipassword 7 exists. It seems to require that I create a 1password.com account. I am cautiously willing to do so, but am stopped at step 2 of sign-up/subscribe when it asks me to create a Master Password in a web form (https://my.1password.com/sign-up/master-password). One reason I've been willing to trust 1password is that I've believed I'm really the only one who knows my master password. It has never been sent across the internet or entered into anyone else's computer, and is not stored in any database. Typing it in a web form means now I'm giving it to you, too, no?

Am I confused about what password it expects me to create at that point in the sign-up process? It doesn't seem like it, because the page says right there "this is the one password you need to remember". Why on earth am I entering it before I've even downloaded the app or started creating a vault? It seems to defeat one of your basic assurances of security.

Is it possible in 1password 7 to have a master password that is not used to log into your website?


1Password Version: 7
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:master password

Comments

  • croald
    croald
    Community Member

    The answer is apparently that 1password.com is doing javascript magic so the form that looks like it's sending your password to the server doesn't actually do that, but instead some code is downloaded to run something called Secure Remote Password (SRP) and that protocol is used to authenticate you. I'm not super happy about the "code downloaded from the internet" part, and this is basically not explained anywhere on their website, but it seems like it's not as egregious as it looks.

    Even the security whitepaper forces me to kind of read between the lines. But it's better than any explanation I could find on the actual website or in the support knowledgebase. https://1password.com/files/1Password for Teams White Paper.pdf

  • Hey @croald, I'm sorry for the confusion around this! Yes, you're absolutely right - your Master Password (and Secret Key for that matter), are never sent to our server. You are still the only one who knows these.

    We tried to make this clear (in slightly simpler terms than in the whitepaper) on our security page here: https://1password.com/security/

    I agree though that it's not overly clear how we accomplish the Only you know your Master Password. part from that page. It's great that you found the White Paper to dig into it deeper - that's what we like to see :)

    If you have any further questions, please let us know.

  • amityweb
    amityweb
    Community Member
    edited July 2019

    About this "I'm not super happy about the "code downloaded from the internet" part, and this is basically not explained anywhere on their website, but it seems like it's not as egregious as it looks."

    Can this not be intercepted by some man in the middle thing? Or if your own website is hacked, then the code we get to download could be something intercepting our password and sending it off to a malicious third party? Or we dont even download a code if your site is hacked, as the form is replaced with a form to send the password to a malicious user.

    Anything on a website is less secure, we have no idea what's behind the scenes on your website, if your site was hacked for example.

    Thanks

  • Lars
    Lars
    1Password Alumni

    @amityweb - no. SRP isn't like a webpage that can be spoofed or mimicked. It's code that comprises the protocol used to transmit a shared secret that is NOT your Master Password or Secret Key, over the internet to us. I'd suggest either the Security link Meek provided above, or the full 1Password.com security white paper that goes into much greater detail, particularly the sections on A Modern Approach to Authentication and Appendix B on Secure Remote Password itself, if you'd like to know how it's done in detail.

  • janwuyts
    janwuyts
    Community Member

    Sorry guys, you are still asking me to fill my master password into a form in a web browser. I am not willing to do this. Is there a way to activate a 1Password membership without doing this?
    I am a longtime 1Password user, only now I am trying to update to version 7 with a (family) membership.
    I also tried via the iOS app, but that gets me to the same interface as on the browser. (And I already unlocked my vault opening the iOS 1Password app, so this confuses me even more.)

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @janwuyts! I definitely understand your concern -- the browser is a hostile environment, and you're right to view it skeptically. However, I'd seriously recommend you have a look through the full 1password.com security white paper that Meek recommended earlier, especially the sections titled "A Modern Approach to Authentication" and Appendix B, "Secure Remote Password." I say this because the answer to your question is no: there is no way to activate a 1Password membership without entering your Master Password. And it truly not transmitted to us, in any form, when you create/enter it in your browser.

    If you want to pursue additional precautions when creating your Master Password, you can temporarily disable or even uninstall all other browser extensions before you do this, but you won't be able to create an account without entering your Master Password via the browser.

  • janwuyts
    janwuyts
    Community Member

    thanks for the fast reply, I'll go through the whitepaper an until then continue on with 1Password 6

  • Fair enough. :)

    Ben

This discussion has been closed.