Security, Resetting, and Local Data

Hi AgileBits;

I have been trying the 1Password Windows application and I have a few questions about how the security works.

1 - My understanding is that the Secret Key and Master Password are never sent to the 1Password server. If that is true then how am I able to log in to my 1Password account on the 1Password website? There is no way for the website to verify my credentials.

2 - I realize this scenario is a low risk but I'm still curious. Let's say that I am using the Windows application and I backup my computer regularly to an external hard drive. If my email account is compromised, someone could effectively "reset" my 1Password account and wipe everything with no knowledge of my Master Password or Secret Key. They could even reset my Master Password. However, I would be able to restore my backup and if I remained offline I could use my old Master Password and retrieve all data, correct?

3 - Are the attached documents in Secure Notes part of the database and encrypted? If each account is permitted 1 GB of space then the database file could theoretically exceed 1GB, correct?

4 - It looks like in Windows the 1Password database sits at %USERPROFILE%\AppData\Local\1Password\data Do the browser extensions also use this same file or do they cache another copy elsewhere?

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @1PWgigabyte: Thanks for getting in touch. Good questions! :)

    1 - My understanding is that the Secret Key and Master Password are never sent to the 1Password server. If that is true then how am I able to log in to my 1Password account on the 1Password website? There is no way for the website to verify my credentials.

    Correct. None of your secrets -- account credentials, or the information you store in 1Password -- are sent to us. When you sign in to your account, you're not really doing that on our server, like you would be with most websites; rather, the 1Password web interface is an app that downloads and runs entirely within your browser. We're using SRP to verify that you know your account credentials without them being sent to us. Pretty cool, and it's all thanks to some really powerful web standards...and of course a lot of hard work building it. :)

    2 - I realize this scenario is a low risk but I'm still curious. Let's say that I am using the Windows application and I backup my computer regularly to an external hard drive. If my email account is compromised, someone could effectively "reset" my 1Password account and wipe everything with no knowledge of my Master Password or Secret Key. They could even reset my Master Password. However, I would be able to restore my backup and if I remained offline I could use my old Master Password and retrieve all data, correct?

    If someone else controls your email, they could delete your account. They could not "reset" your Master Password. There is no password reset mechanism, as the data is encrypted using that and your Secret Key. However, in a group 1Password membership (1Password Families, for example), an admin of that membership could put your account into recovery mode to setup new credentials, so we always recommend that recovery requests be done in person. If your account was deleted though, your authorized devices would still have a local copy of the data offline.

    3 - Are the attached documents in Secure Notes part of the database and encrypted? If each account is permitted 1 GB of space then the database file could theoretically exceed 1GB, correct?

    Yes. Everything you save in 1Password is encrypted. I don't understand how you'd get more than 1GB with a 1GB limit though. Can you clarify?

    4 - It looks like in Windows the 1Password database sits at %USERPROFILE%\AppData\Local\1Password\data Do the browser extensions also use this same file or do they cache another copy elsewhere?

    I find that %LOCALAPPDATA%\1Password\ is a quicker shortcut, but yep: the 1Password desktop extension has no data of its own; it's literally just an extension of the 1Password desktop app, which handles all data and UI. I hope this helps. Be sure to let me know if you have any other questions! :)

  • 1PWgigabyte
    1PWgigabyte
    Community Member

    Thanks for the detailed reply brenty! The blog post was a very interesting read and that answers all my questions :)

    Regarding #3 - I was just curious if the file attachments go inside the database at %localappdata%\1Password\data . If I maxed out my 1 GB allotment then the db file itself would be a little larger to accommodate other data.

    Before I heard about 1Password I was planning to build a new computer for myself with full disk encryption to protect my passwords and other information. But with 1Password I can store all my sensitive info and not have to worry about any disk encryption - this will save me a ton of time and effort (and money!)

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for the detailed reply brenty! The blog post was a very interesting read and that answers all my questions :)

    @1PWgigabyte: You're very welcome! Thank you for taking the time to read it. :chuffed:

    Regarding #3 - I was just curious if the file attachments go inside the database at %localappdata%\1Password\data . If I maxed out my 1 GB allotment then the db file itself would be a little larger to accommodate other data.

    Ah, I think I understand now. The 1GB limit is for Documents only. You can store as much other (text) data as you want in other items. We just need to have a limit on file storage because, well...that could easily get out of hand. ;) And yes, everything in all of the vaults/accounts you have setup in the app are stored encrypted locally in that internal database.

    Before I heard about 1Password I was planning to build a new computer for myself with full disk encryption to protect my passwords and other information. But with 1Password I can store all my sensitive info and not have to worry about any disk encryption - this will save me a ton of time and effort (and money!)

    I...would still use full disk encryption. You may not have anything to hide. I think probably most people don't. However, that doesn't mean that you shouldn't have privacy, or that you should have to worry about it. Full disk encryption is awesome because if your computer is lost or stolen you don't have to go through a panicked mental checklist of what might be on there that you wouldn't want someone to steal, if only something like your family photos -- probably not incriminating, but who needs the discomfort of a stranger looking through your stuff? Even if you don't "need" it, full disk encryption is effectively free mental health insurance, as far as I'm concerned. :)

  • moof
    moof
    Community Member
    edited February 2019

    can I just tag onto this thread, as my question is of a similar nature....

    regarding #3
    on viewing some passport related data i've entered, I notice that a LINKED FILE (pdf) local copy of the document is available on my Mac (if you knew where to look or if you where dredging the drive looking for personal data)

    This doesn't need any master password, key or anything to view it?! :(

    sure its buried, deep in:
    HardDisk/private/var/folders/lg/z4dru8.../R/com.agilebits.onepassword7/com.agilebits.Attachments.noindex/4abc123...

    but it doesn't appear to be encrypted from prying eyes??

    TIA

    .
    .
    .

    *The file location is a work of fiction. Any resemblance to actual data, living or dead, is purely coincidental ;)

  • Lars
    Lars
    1Password Alumni

    @moof - well spotted! You're quite right -- in order for you to be able to view/work with any Document items you have stored encrypted in 1Password, they must first be decrypted (otherwise viewing them would be a less-than-satisfactory experience ;) ). So we create a temporary, decrypted copy buried deep in your file structure on your Mac. But "buried deep" should not be read as "impossible to find" -- indeed, for someone who knows what (s)he is doing, it would be rather trivial to find.

    These files are protected from being backed up in unencrypted form by the .noindex command, but anyone who had physical or remote access to your user account on your Mac while these files are present would be able to view/copy them. However -- and it's a big "however -- try this: open that folder at private/var/...[etc].../com.agilebits.onepassword7 with 1Password 7 for Mac running, and click File > Lock from 1Password's menu (or just type ^⌥⇧⌘L to lock 1Password), and watch what happens -- the entire com.agilebits.Attachments.noindex folder is [securely] deleted. That's why you have to re-download Documents items instead of having them just available to view in 1Password, each time you relaunch the app -- because that decrypted folder is deleted.

    This doesn't need any master password, key or anything to view it?!

    Sure it does: it required your Master Password to unlock 1Password 7 for Mac to decrypt it. And it only exists for as long as 1Password remains open and unlocked. That means if you get up to answer the doorbell or speak with a coworker or something, and when you return to your desk, 1Password has locked itself because of whatever settings you've set in Preferences > Security, that data will no longer be even present in decrypted form, let alone visible/discoverable. That's one of the reason we urge users not to set their timeout settings too generously, and to lock 1Password when they step away from their device (you should never leave an unlocked computer open in any even semi-public setting anyway). So, unless an attacker can gain physical access to your device while you're signed into your user account AND 1Password is unlocked by you with your Master Password, or they have managed to acquire remote access somehow (like by social engineering you into installing spyware), there's very little chance anyone but you will be able to see these documents. Hope that helps! :)

  • moof
    moof
    Community Member

    @Lars great detailed response THANK-YOU.
    I'll work my way through it later, line by line and test out what you are saying.

    It was just an observation that docs I thought where behind lock and key in 1password (due to their sensitivity) could be so easily accessed (or so I thought).

    THANKS again! keep up the great work

  • Lars
    Lars
    1Password Alumni

    @moof - you're quite welcome. Let me know if you have any further questions as you go through things. :)

  • moof
    moof
    Community Member

    @Lars just to confirm your instructions worked like a dream 8-)
    once locked the directory disappears before my very eyes, and only reappears when 1password is unlocked and the item re-viewed again.

    many thanks

  • Lars
    Lars
    1Password Alumni

    @moof - awesome! Glad you were able to verify this for yourself, and even more glad there are people like you out there who take the time to go through such steps; it keeps us focused on what's important, and helps make sure we don't miss anything! :)

This discussion has been closed.