Data Security and what happens to private vaults on deleted accounts

GBuser

I signed up for a 1Password.com account on the Family free trial to allow me to sync passwords with Windows devices as well as the Mac and iOS devices at home. I synchronised my existing vault with the account and I could see my details had been uploaded to the server successfully.

However I also noticed an entry in the private vault that contained all of the 1password username/password, master password and secret key information in the private vault. Surely having that information in the vault being protected by that information is not a great move especially on your website it states

"Keeping your Master Password separate. Your Master Password isn’t stored alongside your 1Password data, or anywhere at all. This is a bit like making sure the key to a safe isn’t kept right next to it: Keeping them separate makes everything more secure."

At that point I deleted my 1Password account and free trial and reverted to the Mac Store version of 1Password for now but I'm concerned that when you have a data breach it would be possible to recover all of my passwords and that should a government agency request access to my passwords that it would be possible to hand this over even though my account has been 'deleted.'

Can you confirm that the contents of vaults from deleted accounts are purged and not recoverable?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

AGAlumB

@GBuser: Thanks for reaching out. I’m sorry for the confusion! I think it's important to keep in mind the threats we're trying to protect against. Since all of the data in your 1Password.com account is encrypted using your Secret Key and Master Password, and neither is never transmitted, an attacker would have to already have these in order to get the same information stored inside your vault. This is no less secure than locking the combination to the safe inside the safe: once an attacker can retrieve the combination, they necessarily already have access to the contents of the safe, which is the thing the combination was protecting.

Regarding the data in your account, it will be purged after it is deleted, so if you want it to be gone, make sure you actually delete the account (we can help with that if you no longer have access to it and have not already taken this step). But more most importantly, us having access to your data is certainly an important concern, so I'm glad you brought it up — and that we don't. It's very much something we put a lot of thought into, since an attacker might break into our servers and steal the database...or a government agency might demand that we turn over customer data. Fortunately, we don't have anything to offer these characters.

There's a lot more detail in our security white paper (which is actually a really fun read, even if you're not into cryptography), but I can appreciate that there's a lot going on behind the scenes when it comes to 1Password securing our data that is not particularly accessible or interesting to many people. I think it's also important that 1Password doesn't shove this technical complexity in our faces. So I'd like to offer a few simple points that summarize how 1Password secures our data:

1. Your 1Password data is encrypted on your device using your Master Password and Secret Key before it is transmitted.
2. The server receives only an encrypted blob to store in its database.
3. Your Master Password and Secret Key themselves are never transmitted.

Indeed, when you use 1Password, AgileBits never has access to your data, regardless of the setup you choose. Even with 1Password.com, your data is encrypted on your device, so all the server ever ends up with is an encrypted blob. And since the Secret Key is created locally, your Master Password is only known by you, and neither is ever transmitted, no one — including AgileBits — has the means to decrypt the data.

Suffice to say, if someone gains access to our servers and dumps the full database (we've designed 1Password.com with this in mind), they simply don't have what they need to decrypt it, as each individual user alone has the keys to their data. So an attacker won't have that and can't get it from AgileBits, even if they get everything else. So while there's a lot more that goes into making all of this work smoothly, this is something that I think all of us can understand and appreciate. Let me know if that helps! :)

GBuser

@brenty Thank you for a very fulsome answer. The safe analogy is a very good one and your explanation of the of the security methodology is very detailed. I currently use the Mac Store version with the data synchronised over iCloud, can you confirm that this version also saves an encrypted blob on the Apple servers? Is there an advantage to the 1password.com subscription over the iCloud sync from a security perspective?

AGAlumB

@brenty Thank you for a very fulsome answer. The safe analogy is a very good one and your explanation of the of the security methodology is very detailed.

@GBuser: Well, it isn't a perfect analogy, but I'm glad you found it helpful. :)

I currently use the Mac Store version with the data synchronised over iCloud, can you confirm that this version also saves an encrypted blob on the Apple servers?

Yep! Not only does iCloud encrypt all of your data stored there, but 1Password encrypts your vault before it even touches iCloud, so that even if someone gains access to your iCloud account they cannot decrypt your data without your Master Password.

Is there an advantage to the 1password.com subscription over the iCloud sync from a security perspective?

Indeed, with a 1Password.com account, your data is encrypted with not only the Master Password but also your Secret Key, which is a randomly generated, 128-bit string which is effectively unguessable. So while a long, strong, unique Master Password ensures that no one will be able to guess it within our lifetimes, the Secret Key means it isn't possible to perform a brute force attack against your Master Password, since both are required. Cheers! :)

GBuser

@brenty Thanks for explaining that clearly, one last question I promise :) If I export the data from my vault and copy the zip file to another machine is the data still encrypted or is the data inside unencrypted at that point?

Jacob

@GBuser On behalf of Brenty, you're welcome. If you export the data from 1Password as a 1PIF or CSV, it will be unencrypted. Hope that helps!

GBuser

@Jacob Sorry my mistake it was in a .1p4_zip format, which I think is a backup file. Would that be encrypted with the master password or the blobs inside?

Jacob

@GBuser That is a backup file, but it's only for data stored outside a 1Password.com account. If you have a local vault, it will be backed up there and yes, it will be encrypted. If you use 1Password.com, your data is backed up automatically.

AGAlumB

@GBuser: Hey! You said one more question! ;)

Kidding! Seriously, don't ever hesitate to ask. that's what we're here for. :chuffed:

But I also wanted to sneak back in here to mention the other cool thing we can do that takes backup a step farther with 1Password.com item history. I've already used this a few times to "go back in time" when I've made a mistake and needed to restore an earlier version of an item. Love it. :sunglasses:

GBuser

Thanks @brenty and @jacob for your very detailed explanations and patience with my Colombo style 'just one more thing.'

Frank

Hi @GBuser - On behalf of Brenty & Jacob, you're very welcome! I'm glad the information helped :smile: Please feel free to let us know if you have any additional questions, we're always here for you. Have a great day!

AGAlumB

"Colombo-style"! Nice! There's always room for one more. Cheers! ;)