Using master password to create 1password account?

I'm a longtime user since 1password 4, and have just discovered that ipassword 7 exists. It seems to require that I create a 1password.com account. I am cautiously willing to do so, but am stopped at step 2 of sign-up/subscribe when it asks me to create a Master Password in a web form (https://my.1password.com/sign-up/master-password). One reason I've been willing to trust 1password is that I've believed I'm really the only one who knows my master password. It has never been sent across the internet or entered into anyone else's computer, and is not stored in any database. Typing it in a web form means now I'm giving it to you, too, no?

Am I confused about what password it expects me to create at that point in the sign-up process? It doesn't seem like it, because the page says right there "this is the one password you need to remember". Why on earth am I entering it before I've even downloaded the app or started creating a vault? It seems to defeat one of your basic assurances of security.

Is it possible in 1password 7 to have a master password that is not used to log into your website?


1Password Version: 7
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:master password

Comments

  • The answer is apparently that 1password.com is doing javascript magic so the form that looks like it's sending your password to the server doesn't actually do that, but instead some code is downloaded to run something called Secure Remote Password (SRP) and that protocol is used to authenticate you. I'm not super happy about the "code downloaded from the internet" part, and this is basically not explained anywhere on their website, but it seems like it's not as egregious as it looks.

    Even the security whitepaper forces me to kind of read between the lines. But it's better than any explanation I could find on the actual website or in the support knowledgebase. https://1password.com/files/1Password for Teams White Paper.pdf

  • MeekMeek

    Team Member

    Hey @croald, I'm sorry for the confusion around this! Yes, you're absolutely right - your Master Password (and Secret Key for that matter), are never sent to our server. You are still the only one who knows these.

    We tried to make this clear (in slightly simpler terms than in the whitepaper) on our security page here: https://1password.com/security/

    I agree though that it's not overly clear how we accomplish the Only you know your Master Password. part from that page. It's great that you found the White Paper to dig into it deeper - that's what we like to see :)

    If you have any further questions, please let us know.

  • amitywebamityweb
    edited July 9

    About this "I'm not super happy about the "code downloaded from the internet" part, and this is basically not explained anywhere on their website, but it seems like it's not as egregious as it looks."

    Can this not be intercepted by some man in the middle thing? Or if your own website is hacked, then the code we get to download could be something intercepting our password and sending it off to a malicious third party? Or we dont even download a code if your site is hacked, as the form is replaced with a form to send the password to a malicious user.

    Anything on a website is less secure, we have no idea what's behind the scenes on your website, if your site was hacked for example.

    Thanks

  • LarsLars Junior Member

    Team Member

    @amityweb - no. SRP isn't like a webpage that can be spoofed or mimicked. It's code that comprises the protocol used to transmit a shared secret that is NOT your Master Password or Secret Key, over the internet to us. I'd suggest either the Security link Meek provided above, or the full 1Password.com security white paper that goes into much greater detail, particularly the sections on A Modern Approach to Authentication and Appendix B on Secure Remote Password itself, if you'd like to know how it's done in detail.

  • Sorry guys, you are still asking me to fill my master password into a form in a web browser. I am not willing to do this. Is there a way to activate a 1Password membership without doing this?
    I am a longtime 1Password user, only now I am trying to update to version 7 with a (family) membership.
    I also tried via the iOS app, but that gets me to the same interface as on the browser. (And I already unlocked my vault opening the iOS 1Password app, so this confuses me even more.)

  • LarsLars Junior Member

    Team Member

    Welcome to the forum, @janwuyts! I definitely understand your concern -- the browser is a hostile environment, and you're right to view it skeptically. However, I'd seriously recommend you have a look through the full 1password.com security white paper that Meek recommended earlier, especially the sections titled "A Modern Approach to Authentication" and Appendix B, "Secure Remote Password." I say this because the answer to your question is no: there is no way to activate a 1Password membership without entering your Master Password. And it truly not transmitted to us, in any form, when you create/enter it in your browser.

    If you want to pursue additional precautions when creating your Master Password, you can temporarily disable or even uninstall all other browser extensions before you do this, but you won't be able to create an account without entering your Master Password via the browser.

  • thanks for the fast reply, I'll go through the whitepaper an until then continue on with 1Password 6

  • BenBen AWS Team

    Team Member

    Fair enough. :)

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file