Why only 256-bit encryption?

When 4096 bit encryption exists? I don't agree that 256-bit is 100% secure, nothing is secure but 4096 takes longer (to the point where it is too long) to break into.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • periperi

    Team Member

    Hi @darrenau. Thanks for getting in touch with us. I'm glad to see you're concerned about security!

    In addition to 256-bit AES, we use PBKDF2 key derivation to prevent cracking. It would be humanly impossible to brute force your way into a 1Password account with a strong Master Password. We also use third-party assessments, like Bugcrowd, to uncover any vulnerabilities in our security model.

    Let us know if you have more questions!

  • MikeTMikeT Agile Samurai

    Team Member
    edited January 2017

    Hi @darrenau,

    To explain further, there are various encryption protocols and they all have different ways of handling the encryption, including the bit-size. 256-bit is the largest possible bit size for AES, Advanced Encryption Standard, that we use. You're likely thinking of RSA, which is designed for a different purpose than what 1Password does. RSA at 4096 bit wouldn't be more or less secure than AES at 256 bit, they're just designed for different purposes, like for an example, how much memory would you be willing to use to get the fastest encryption speed or how much CPU you're willing to use. They all have different pros and cons.

  • brentybrenty

    Team Member
    edited January 2017

    @darrenau: You may be interested in this excellent discussion on Stack Exchange, which goes into minute detail on the math of why 256-bit is sufficient. In fact, 128-bit is sufficient, and 256 is still very unnecessary, as it is exponentially more computationally intensive, rather than 2x. 4096 is far beyond unnecessary for the foreseeable future (and likely beyond), as anything above 256 (which is hardware-accelerated, in most cases) offers little practical security benefit, while sending the amount of work your devices have to do (and therefore how long you need to wait for an operation to complete) through the roof. After all, we want to keep our data out of reach of attackers, not ourselves. ;)

This discussion has been closed.