Did 1Password send my Master Password over the internet?
I just upgraded to the Accounts method of using 1Password so forgive me if this has been covered before.
One of my main questions about its safety was if your master password was ever transmitted over the internet, and according to all the searches I could find it was flatly stated that your master password was never sent anywhere.
So I signed up and got everything switched over to the new way of doing things. Went back to the accounts sign in page and signed in, and 1Password offered to save the login for me. Boom! a new login with my Master Password included on all my other devices.
So how did it get there?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
All of the encryption happens on your computer (in the browser or in the standalone app). So your Master Password and your Account Key are only used on your computer and thus never sent anywhere.
0 -
So how did the login with my master password and account key get from my PC to my iPad or phone?
Is the software on each device sophisticated enough to add the master password and account key to this one particular login? Which seems pretty much like all the hundreds of others I have.
0 -
True, if you create a login item with your Master Password in it, that will be transmitted (encrypted of course) just like any other login item you create. Personally, I haven't created a login item with my Master Password in it though. I don't think there is much use for it.
Anyway, the main point is that the Master Password and Account Key are only used locally and all the encryption takes place locally on your computer.
0 -
Well thanks for the reply, its just annoying that after all these years of being so careful with my Master Password the first thing
https://my.1password.com/signin
does is offer you a honey trap to send all your 1Password information out into the wild. I just assumed it being Agilebits and such a strange login page it would have been ok.
0 -
@MarkM2017, the new cloud-based accounts follows a different model: to do account administration, you (currently) have to use a browser. After you set up your vaults the way you want to, you won't have to use the browser anymore, and you can use the 1PW software just as you have before.
Believe it or not, your master password was still never "transmitted" in this process (in any way that 1PW knows that you transmitted it)! It's unfortunate that your browser captured and saved the login (just like it saves a login to any other website) when you didn't really want it to. But 1PW didn't ever in this process know your master password, or even the fact that you had transmitted your master password.
When you visited my.1password.com and you typed in the account key and master password, neither actually got transmitted. This is something really cool that 1Password does: instead of transmitting the password like say your bank, instead, the page computed an identifier token using something called SRP. The SRP key is what then got transmitted, to prove to 1PW that it's really you who logged in. No one can figure our your account key or your master password from the SRP key, including 1PW themselves.
Next (unfortunately) the browser extension then "saved" your login, like it tries to save every other login. That's how your master password got there. Fortunately, it was encrypted before it even got there. 1Password themselves can't read this saved entry, just like how they can't read any other saved entry of any of your other website's logins. All their servers know is that a new entry got created, with an encrypted titled "jLWW4OyTReWhMioLo4qC+x2t" (for example), with the encrypted password "nm++btiD5kNjvdjaTPB2SbKfbTIJP5jn+Fk3A9Z4NiHbsU2F3XMnWWc0" (for example). They, or anyone else, don't know it's your master password that you just saved. It could have been for funny-cat-pictures.com, for all they know.
So while it's not ideal (and I understand it can be frustrating) that your master password got saved into your password vault when you didn't mean for it to, it's not as bad as you might imagine. If everything was working like Agilebits intended, no one, including themselves, know or have any way of finding out what just occurred, nor can anyone find out what your master password was.
0 -
@MarkM2017 - I just wanted to quickly chime in on this. @pervel's and @analogist's assessment of what happened and why is spot on (Thanks for the assist!), especially @analogist's description of SRP and what happens to your login item when it's saved is accurate.
It's also worth noting that before 1Password saved your Master Password as a login item for 1Password.com, it asked you if it should in fact do that. You are in full control of what is stored, 1Password doesn't do any sketchy things behind your back. :)
If you need any additional information about our security efforts, please see our article about Privacy & Security and the 1Password Security Design White Paper. And of course you can raise any issues with us here, just let us know how we can help! :)
0 -
Thanks for the replies.
And yes I realize that nothing sketchy was intened and how strong the encryption is as analogist said
it's not as bad as you might imagine. If everything was working like Agilebits intended ....
But then again I as sure everything was working as intended at Home Depot, Target, and several others when they had data stolen and the banks had to fix problems with my accounts and reissue cards. Having my Master Password compromised in any way would be a level 10 earthquake on the Richter Scale compared to that.
The funny thing is I was so astounded that 1Password saved and transmitted all of my account information email, account key and Master Password that I did it again just to make sure, so I actually sent my info out twice. And every time I use the web login one nervous twitch of the finger on the return key from doing it again, there is no Never for this Site option I seen to remember on the standalone version.
Also done so more testing this morning, this is only happening on the Windows 10 version of 1Password 6, on my Mac it does not try to save the login.
0 -
@MarkM2017, I don't think you need to be so nervous about this. Saving your Master Password as a login item does not compromise your security in any way. It's bit like if you have a safety box with a code and then decide to write that code down and place it inside the safety box. It doesn't do much good, but it doesn't hurt either. :)
0 -
Hi @MarkM2017 - Just wanted to check in to see if you have any further questions. We'll be happy to help out anyway we can.
Thank you for the help @pervel :+1:
0 -
I was editing my reply and it disappeared so hope this is not redundant ...
I want to be clear it was my login email, new account key and Master Password that was transmitted together, all the keys to my tiny kingdom so to speak. I have since of course deleted the login and changed my password.
This is only on the Windows 10 version 6, it attempts to save the login every time I use the web page and there is no "never save" option I seem to remember on the standalone version. So every time I use the page run the risk of one nervous twitch of the finger on the return key from doing again. My Mac on the same account does not offer to save the login.
I really liked that liked that 30+ character Master Password too, like loosing a old friend :'(
0 -
Hi @MarkM2017 - You can disable this in 1Password 6 on your PC. Under settings click on the Browser tab then uncheck the box next to autosave. I hope this helps and let us know if you have any further questions. Have a great day!
0 -
Whats the point of a password program that wont remember passwords, except the ones you don't want it to of course?
This is the reason I have resisted going to the cloud based account and and heading back to standalone or someplace else
Thanks all
0 -
Hi @MarkM2017 - 1Password for Windows, does not offer the same suggestion as on a Mac. On a Mac when you click "never for this site" it's added to the same section I referenced on Windows under settings. You can add specific websites to this section that you don't want the extension to prompt you to save. Sorry for any confusion.
0 -
Yes had I just found the exclusion section in the Windows software and added the 1Password domain and it stopped trying to save the login.
However I never told my Mac not to remember the login it just never asked.
Maybe excluding the domain should be a standard feature on your software
0 -
Hi @MarkM2017 - We're working on it and sorry for the confusion between the two. Our Windows Team is working hard to improve the user experience and add new features. 1Password 6 was completely rewritten from scratch but it's not an excuse. I will definitely make sure to share your request with the team. I appreciate the constructive feedback :+1: Enjoy the rest of your day!
0 -
I just upgraded to the Accounts method of using 1Password so forgive me if this has been covered before.
@MarkM2017: I just wanted to add that you should never apologize for asking questions. In cases like this especially, there isn't a helpful way to make all of the inner workings obvious to the user. We'd have to dump a ton of information on you during the setup process or something, which isn't a great experience. But we're always glad to hear from you and the rest of our awesome customers...and for any opportunity to discuss how all of this works! :glasses:
And finally, if something else isn't working the way you expect, be sure to let us know the specifics so we can assist. Cheers! :)
0
