"Like your Master Password, your Secret Key is never sent to us." [1Password accounts use SRP]

vakakulkavakakulka
edited February 2018 in Memberships

I must to enter them 4 sync! It turns out I already give them in the hands of the company-developer. Shouldn't this be happening?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:"Like your Master Password, your Secret Key is never sent to us." - wrong?

Comments

  • brentybrenty

    Team Member
    edited February 2018

    I must to enter them 4 sync!

    @vakakulka: If you mean to sign into your account, then yes; you have to enter your credentials into the app locally to be able to sign in. More on that later.

    It turns out I already give them in the hands of the company-developer. Shouldn't this be happening?

    I'm not sure exactly how to answer those questions the way you've phrased them, so I'll ask a simpler question and then answer it myself:

    How can we login to 1Password accounts without sending AgileBits our Master Password and Secret Key?

    The answer? SRP: Secure Remote Password protocol.

    In the native apps (like 1Password for Mac) and even when you're using the 1Password.com web interface, you're running an app on your machine that does all of this locally, so that account credentials — and unencrypted data — are never sent to us. There's a great blog post on SRP in particular:

    Developers: How we use SRP, and you can too

    But the short version is that when you signed up for an account, your Secret Key was generated locally on your device, you chose a Master Password, and so that neither of these ever have to be sent to us, a "verifier" was also cryptographically generated, which the server can use to know that it's you each time you sign in. Rather than knowing your account credentials, you can prove to us that you know it using math.

    I hope this helps. There's a lot more overall detail on how 1Password.com works in the security white paper, and we're here if you have any questions. :)

  • Sorry, i dont understand. https://my.1password.com/signin?a=new

    • this page want my Secret key and Master Password
      This page belongs to your site, right? Doesn't that give them to you?
  • brentybrenty

    Team Member

    @vakakulka: I appreciate that it isn't obvious, which is why I went to the trouble to explain it, and why we've documented how it works extensively. But yes, we made that webpage, and no, filling in account credentials there doesn't send them to us.

    As I mentioned, the web app also runs locally on your machine. Many auditors and independent security researchers have verified our security and continue to try to find any flaws so we can fix them. And you can also verify this using freely available tools to view the code and monitor traffic to and from your machine.

    Did you check out the blog post and documentation I sent earlier? Happy to answer any questions you have about it. :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file