How secure is 1Password for Families?

Options
tekcor
tekcor
Community Member
in Families

We all know that 1Password is traditionally very secure. I'm in full control of my data and it absolutely cannot be decrypted with the password.

But what about 1Password for Families? If I understand correctly, the vault can be displayed in the browser. Doesn't this mean that Agile has the ability to decrypt the vault? I asked this question direct to customer support when Families was announced, but never got an answer.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • williamporter
    williamporter
    Community Member
    edited March 2016
    Options

    tekcor asks: "If I understand correctly, the vault can be displayed in the browser. Doesn't this mean that Agile has the ability to decrypt the vault?"

    I'm not an AgileBits employee and I'm not an expert at encryption or any related subjects, but I'm 99.99% sure the answer to your question is NO. Your password files sit on a remote server somewhere, thoroughly encrypted. When you connect via secure (https) connection in your browser, you'll have to provide the decryption key (your 1Password superpassword). Without that superpassword, nobody else can access your file—not AgileBits, not even the FBI.

    (Hope I'm right. Pretty sure I am.)

    Will

    Addendum: NOTE that it's always been the case that your superpassword for 1Password is super important. I don't know what, if any, additional levels of protection (say, two-step authentication) AgileBits provides for 1P for Families. So it's critically important for that superpassword to be long and strong and for you not to share it with anybody, not to leave it lying around on a sticky note, etc.

  • dszp
    dszp
    Community Member
    edited February 2018
    Options

    Hi @tekcor, I'm not with AgileBits but as @williamporter said, the design of Teams and Families is such that AgileBits does not have access to your account. They do store the encrypted data, but it is only ever decrypted in your browser (or in the local applications for platforms with support) and requires both your Account Key which they randomly generate (that's why it's important to keep a Teams or Families Emergency Kit printed from your account somewhere safe) and your Master Password, neither of which are sent unencrypted to AgileBits.

    There should be some additional security information at https://support.1password.com/teams-faq/ and there's a large, 60+ page Whitepaper on Teams and Families security that likely has between everything you wanted to know and way more than you wanted to know, depending on your level of comfort with cryptography and math :-)

  • Ben
    Ben
    Options

    Some great info here. The links dszp posted should provide any additional insight, but if you have futher questions please let us know!

    Ben

  • natehouk
    natehouk
    Community Member
    Options

    Can you clarify why encryption in the browser was so frowned upon before, and is now acceptable?

  • kDCYorke
    kDCYorke
    Community Member
    Options

    I'm still a bit unsatisfied, even after reading about the account key.

    Apparently I can reset the password of a family member that's lost theirs. How is that possible if the password + account key comprise the encryption key?

  • Ben
    Ben
    Options

    Can you clarify why encryption in the browser was so frowned upon before, and is now acceptable?

    I'm not sure I understand the question. Could you provide some context? In what way was encryption in the browser frowned upon?

    Part of the answer may be "because of the Web Cryptography API," which is relatively new, but it would help to understand the question better before giving a more definitive answer.

    Apparently I can reset the password of a family member that's lost theirs. How is that possible if the password + account key comprise the encryption key?

    That is because you, as an account owner, hold all of the keys to the kingdom. AgileBits cannot perform this kind of recovery because we do not. As mentioned in our recovery guide:

    We can’t help you, but you can help yourself.

    1Password for Teams Admin Guide: Account Recovery

    Ben

  • tekcor
    tekcor
    Community Member
    Options

    Thanks, that seems to be the answer I was hoping for. So decryption happens in the browser/client side? Even as a skilled web developer, that's very impressive.

  • natehouk
    natehouk
    Community Member
    Options

    For further discussion on my question and clarification on what I was referring to, see this thread: https://discussions.agilebits.com/discussion/60939/can-you-elaborate-on-potential-browser-javascript-vulnerabilities-for-families-teams

  • Megan
    Megan
    1Password Alumni
    Options

    Hi @natehouk,

    Thanks for sharing that link! It's a great discussion. Did Rob and Goldberg's replies there help or does your question still stand?

  • jregen
    jregen
    Community Member
    Options

    so, having developed a browser extension in the past, and having also developed a web-app using GWT, I think it actually would be possible for the AgileBits code running in the browser extension to, after decrypting a password, send it back to the agile server if they implement proper CORS protocols. I could be wrong.

  • khad
    khad
    1Password Alumni
    Options

    @jregen,

    Indeed, it is technically possible, but it would be a death knell to 1Password if we ever did that. It's really no different than when you enter your Master Password in the Mac app, for example. If we were nefarious, we could collect that, but we would go out of business faster than lightning. As this is how we make our living, we are highly motivated to never do that. The idea of us transmitting user passwords to something other than the app/browser that you are using is just anathema to everything we do.

    However, as LeVar Burton used to always say on Reading Rainbow, "You don't have to take my word for it…" 1Password is constantly subject to scrutiny (especially its network traffic) by outside security experts.

  • jregen
    jregen
    Community Member
    Options

    good answer. so, am I being dumb: I noticed that, perhaps in the confusion of importing passwords from lastpass and setting up my vault, etc., I inadvertently created an entry for 1password itself including the master password. Convenient for logging into the site, but probably a Bad Idea. (?)

  • khad
    khad
    1Password Alumni
    Options

    @jregen,

    I actually have different Master Passwords for my local vault(s), my AgileBits team account, and my family account. I save the Master Passwords for my team and family accounts in my local vault so I can easily access them with nothing but a local backup. However, I may consolidate them in the future by changing my Master Passwords for my team/family accounts to be the same as my "main" one. It's called 1Password, after all, not 3Password. I just haven't gotten around to it. :)

    You may be interested to read this other thread, which I just came across a moment ago:

    Should existing 1Password users store Teams master password in their vault?

This discussion has been closed.