How can I know 1Password doesn't upload my password like the White-paper says?

Community Member

White-paper says:
Privacy by Design It is impossible to lose, use, or abuse data one doesn’t possess. Therefore we design systems to reduce the amount of sensitive user data we have or can acquire.

How can I know 1Password don't upload my password like it says?
Any way to prove this statement ?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • AGAlumB
    1Password Alumni

    @Samuellllll: Yep. :)

    The 1Password service uses SRP -- Secure Remote Password -- so that, literally, no account credentials are transmitted. You can verify this using tools to monitor its behaviour, and we've also released the source code for our SRP implementation:

    Developers: How we use SRP, and you can too

    But for those who don't want to go to the trouble, we also participate in external audits and cooperate with and incentivize independent security researchers so that others can verify that 1Password works the way we say it does, and so we can improve it if necessary. Cheers! :)

  • jpgoldberg
    1Password Alumni

    Additionally, you (or others with the relevant skills) can monitor your own network traffic. You need to break TLS locally on your own device to get through that layer, but tools like Burb Suite allow you to do that. You can also run 1Password in debugger to see whether it behaves the way that we say it does.

    While these are not skills that everyone has, nor do all with those skills have the time and interest, this does still create a substantial chance that malicious behavior in 1Password would be detected. So even if we were inclined to be evil, we'd be running an enormous risk by doing so.

    Five years ago we wrote something about all of this. And while details have changed (see the updates at the end of the article), the general point remains the same: We can't offer a 100% solid proof that there could never be anything malicious in 1Password, but we make it hard for us (or anyone who compromises or coerces us) to get away with it undetected. As long as there is a substantial risk of being caught, such an attack is not going to pay off for the attackers.

This discussion has been closed.