Web interface encryption and security

Hi, I just created a 30-day trial account of 1Password and merged my locally stored vault with the newly created cloud vault. Quite surprisingly for me, I then realised that I can see all the passwords in the web user interface. So I was thinking how this is possible and how secure this is - where do you decrypt my passwords and how do you send them over the internet (even though through SSL encryption).

Could you please confirm (or correct me) if my rather non-professional idea of how this works is correct?

I guess that after I login in my web browser, some javascript class locally running in my browser takes my Master Password and my Account Key (not sending them anywhere!) and establishes some kind encryption/decryption API to 1Password's server. Is this the thing that is done using W3C WebCrypto API, as you boast on your site? Therefore, all the decrypted views into my vault and passwords are created strictly locally by javascript in my browser, and everything that is sent from you is still MasterPass+Account_Key encrypted (and sent over SSL)?

But it also means that all the passwords are as vulnerable as my web browser and it can potentially be hijacked by some malicious javascript running secretly in my browser - is that right?

Thank you very much for clarification.

All the best
Rompi


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Web interface encryption

Comments

  • brentybrenty

    Team Member

    Hi, I just created a 30-day trial account of 1Password and merged my locally stored vault with the newly created cloud vault. Quite surprisingly for me, I then realised that I can see all the passwords in the web user interface. So I was thinking how this is possible and how secure this is - where do you decrypt my passwords and how do you send them over the internet (even though through SSL encryption).
    Could you please confirm (or correct me) if my rather non-professional idea of how this works is correct?

    @rompi: Absolutely! I'm glad you asked! Indeed, even when you use 1Password.com, your data is encrypted on your device, so all the server ever ends up with is an encrypted blob. And since the Account Key is created locally, your Master Password is only known by you, and neither is ever transmitted, no one — including AgileBits — has the means to decrypt the data.

    I guess that after I login in my web browser, some javascript class locally running in my browser takes my Master Password and my Account Key (not sending them anywhere!) and establishes some kind encryption/decryption API to 1Password's server. Is this the thing that is done using W3C WebCrypto API, as you boast on your site? Therefore, all the decrypted views into my vault and passwords are created strictly locally by javascript in my browser, and everything that is sent from you is still MasterPass+Account_Key encrypted (and sent over SSL)?

    WebCrypto precisely!

    But it also means that all the passwords are as vulnerable as my web browser and it can potentially be hijacked by some malicious javascript running secretly in my browser - is that right?

    I'd modify this a bit to say "all the passwords are as vulnerable as my web browser or OS". Ultimately if your machine is compromised, all bets are off, as you no longer own it, and the attacker has access to any information you do (or at least we should assume they do). At that point, none of this is relevant to 1Password though, as they can simply collect any data you actively use. This applies to 1Password.com, the 1Password apps, Notes, Mail, etc. equally. However, 1Password has the benefit of storing all of your data encrypted, so it cannot be accessed at rest, only when you unlock it.

    Thank you very much for clarification.
    All the best
    Rompi

    Any time! And you can read more details on how all of this works in our white paper, and don't hesitate to ask any other questions you may have. Happy new year! :)

  • Hi brenty, thanks a lot for your reply! I'll check the white paper too.

  • brentybrenty

    Team Member

    My pleasure! I hope you enjoy it. I actually found it to be fairly entertaining. We're here if you need anything else. :)

This discussion has been closed.