To protect your privacy: email us with billing or account questions instead of posting here.

Master password and secret key transmitted

brandonh
brandonh
Community Member

I've been considering switching from Dropbox syncing to a 1Password.com account. I signed up for a 1Password account but the setup process concerned me. Specifically, it appears that

  • my master password (or a hash of it) must be transmitted to 1Password's website
  • my secret key must be transmitted from 1Password's website to my computer (as part of my Emergency Kit)

Can these credentials be generated locally within the 1Password app instead? Can I use a different password to decrypt my vault than I do to login to 1Password.com?


1Password Version: 6.7
Extension Version: 4.6.6.90
OS Version: macOS 10.12.5
Sync Type: 1Password account

Comments

  • Ben
    Ben
    edited May 2017

    Hi @brandonh,

    One of the great things about 1Password is that these details are not transmitted. You can read an overview here:

    About the 1Password security model - 1Password Support

    And we have a much more in-depth white paper which details how we're able to accomplish this here:

    1Password Security Design White Paper

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Can these credentials be generated locally within the 1Password app instead? Can I use a different password to decrypt my vault than I do to login to 1Password.com?

    The short answer is that the former already happens (or the web app, as it may be), and the latter is not possible.

    Ben

  • brandonh
    brandonh
    Community Member

    Hi Ben,

    Thanks for your reply.

    I'm still confused by the handling of the Emergency Kit (which contains the secret key). Is the PDF generated locally?

    If I later login to 1Password and download my Emergency Kit again is my secret key being regenerated?

  • Is the PDF generated locally?

    Yes. Your web browser does all of this work.

    If I later login to 1Password and download my Emergency Kit again is my secret key being regenerated?

    Nope. :) You can change your Secret Key if desired, but generating a new Emergency Kit will not do it.

    Ben

  • brandonh
    brandonh
    Community Member

    Hi Ben,

    Thanks again.

    Nope. :) You can change your Secret Key if desired, but generating a new Emergency Kit will not do it.

    How is a new Emergency Kit created if the secret key isn't known by 1Password? From where is the secret key read?

  • How is a new Emergency Kit created if the secret key isn't known by 1Password? From where is the secret key read?

    You enter it when logging into the website and your web browser remembers it for the duration of your browsing session (indefinitely if you leave 'this is a public computer' unchecked).

    Ben

  • brandonh
    brandonh
    Community Member

    Gotcha. Thanks for all your help. I'll play with this again tonight.

  • You're most welcome. :) If there is anything else we can do, please don't hesitate to contact us.

    Ben

This discussion has been closed.