Master Password ever transmitted over the internet?

You advertise that the master password is never transmitted over the internet, nor stored. When I was using the standalone version and syncronising my devices through my own wireless network, it was pretty clear.
Now, I have registered for the new 1Password account and had, for the first time, to enter my master password in my browser. And, need to do it anytime I wish to log on the web version... I am confused now... Does it mean that my password is now transmitted over the internet and stored somewhere? If not, how does it work? How is my security guaranteed as it was with the standalone version? How is my vault syncronised between my various device and how secure is it?
Thanks.


1Password Version: 6.3.2
Extension Version: Not Provided
OS Version: Mac
Sync Type: ???
Referrer: forum-search:is my master password transmitted to the internet

Comments

  • brentybrenty

    Team Member

    Master Password ever transmitted over the internet?

    @francoisb155: That's right: never! :sunglasses::+1:

    You advertise that the master password is never transmitted over the internet, nor stored. When I was using the standalone version and syncronising my devices through my own wireless network, it was pretty clear. Now, I have registered for the new 1Password account and had, for the first time, to enter my master password in my browser. And, need to do it anytime I wish to log on the web version... I am confused now... Does it mean that my password is now transmitted over the internet and stored somewhere?

    Great question! In fact, everything is done locally on your device. That's part of the reason why we have pretty strict requirements both for the browser itself and its security. The other part is, of course, that only modern browsers support the web standards 1Password.com needs to have a robust interface for viewing and editing your data. But one web standard 1Password.com depends on is WebCrypto. Before it existed, it was impossible to do this securely and efficiently all within the browser.

    If not, how does it work? How is my security guaranteed as it was with the standalone version? How is my vault syncronised between my various device and how secure is it? Thanks.

    Indeed, when you use 1Password, AgileBits never has access to your data, regardless of the setup you choose. Even with 1Password.com, your data is encrypted on your device, so all the server ever ends up with is an encrypted blob. That's what is sync'd. And since the Account Key is created locally and your Master Password is never transmitted and only known by you, no one — including AgileBits — has the means to decrypt the data. This is really important, because we want to make sure that we don't have anything that could be used to compromise 1Password users, even if we ourselves are compromised/coerced/turned to evil/etc.

    Regarding the Master Password in particular, we use the SRP (Secure Remote Password) protocol to avoid transmitting it over the internet. You can read more details on how all of this works in our white paper, and don't hesitate to ask any other questions you may have! :)

This discussion has been closed.