How does 1P online works ?

Hi,
I am currently using 1P 4, in trial period, and android app. I've been reading 1P forum about how 1P online secures the data.
I understand that 1 P servers does not "stores" our data so if 1P ever gets hacked, the hacker lands up with an encrypted blob. Also, it's said that the Master Password and vault is never transmitted.

With these bits already known, I have the following queries, the answer might be a bit technical, but I'm ok with technical answers to secure my data:

  1. If 1P online, does stores encrypted vault and master password is never transmitted, how is the data visible when one logs into 1P ?

  2. Is there a way, I can use 1P online as well as dropbox ? Of course, both these needs to be in synch.

  3. How does 1P app (I use android app), knows which dropbox or 1P online account to point to ? Couldn't find any such setting

  4. Where is the vault located if I am using 1P online ? My disk , I presume. Is the vault on my disk, encrypted there too ?

  5. Every time I try to login to 1P online, it asks for account key also. How can I know if the browser is deleting the account key information automatically, which leads to 1P asking for account key at every logon ?

  6. It seems the only possible way of security breach is from the user's end i.e. if browser is compromised or key strokes are read by malware. Being a security company, could you please guide on how to (a) know if my device - both laptop and phone (Android, Samsung Note 4) is already compromised (b) if the browser is not reading the contents typed in it (c) Some other app does not reads my key strokes.
    Just want to make sure nothing is sniffing while I am creating AND using the account key or master password.

You guys rock !! the more I know about 1P, the more I fall in love with it. Kudos to you guys for making it.

Cheers,
JN


1Password Version: 4
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: dropbox

Comments

  • brentybrenty

    Team Member

    @justnishant123: Great questions! Thanks for asking them. :)

    If 1P online, does stores encrypted vault and master password is never transmitted, how is the data visible when one logs into 1P ?

    All cryptography is performed locally on your device. So the server just sends you back the encrypted data you sent it originally, and then it's decrypted on the fly by the app or your browser.

    Is there a way, I can use 1P online as well as dropbox ? Of course, both these needs to be in synch.

    You can use both for separate vaults, but it isn't possible to sync 1Password.com data with Dropbox and vice versa.

    How does 1P app (I use android app), knows which dropbox or 1P online account to point to ? Couldn't find any such setting

    You can login to your 1Password.com Account under 1Password Settings > Accounts.

    Where is the vault located if I am using 1P online ? My disk , I presume. Is the vault on my disk, encrypted there too ?

    The vault is stored on the server, but the app caches a local copy in case you're not online.

    Every time I try to login to 1P online, it asks for account key also. How can I know if the browser is deleting the account key information automatically, which leads to 1P asking for account key at every logon ?

    The only way 1Password.com doesn't store the Account Key in the browser's local storage is if you select "This is a public or shared computer" before logging in. If you're being asked for the Account Key each session, it's because you or some software on your machine is clearing it.

    It seems the only possible way of security breach is from the user's end i.e. if browser is compromised or key strokes are read by malware. Being a security company, could you please guide on how to (a) know if my device - both laptop and phone (Android, Samsung Note 4) is already compromised (b) if the browser is not reading the contents typed in it (c) Some other app does not reads my key strokes. Just want to make sure nothing is sniffing while I am creating AND using the account key or master password.

    There isn't any way for us to know whether or not your system is compromised. Even "security" software running on your own machine cannot know for certain since it can only identify known malicious software. Ultimately the only way that you can have any degree of certainty that the system is still yours is by practicing good security hygiene — for example, not visiting shady sites, using software from untrusted sources, etc. You're right that having a compromised system could put your Account Key and/or Master Password at risk, but really that's the least of your concern at that point since the attacker could just as easily get your data while you enter or access it.

    Something the setup we have with 1Password.com really has going for it is that the Account Key is only rarely entered, and because it's used to encrypt the data, it isn't possible to perform a brute force attack on the Master Password either. So it's really up to each of us to choose who we trust carefully, both when it comes to allowing others to use our devices, and whose websites we visit, and whose software we install.

    You guys rock !! the more I know about 1P, the more I fall in love with it. Kudos to you guys for making it.

    That's very kind of you. We really love what we do, and it's always good to hear from others who enjoy 1Password. Be sure to let us know if you have any other questions! :chuffed:

This discussion has been closed.