Encription in cloud

Options
HBridges
HBridges
Community Member
in Lounge

1Password makes the claim that our passwords stored in their cloud are safe even that 1password.com itself cannot decrypt them because to do so requires both our login password to 1password.com, which they have, and the magic key, which they say they don't have. But how do we know that they don't have the magic key since they generated it and sent it to us? How could we know for sure that they haven't retained the magic key somewhere?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • danco
    danco
    Volunteer Moderator
    Options

    How cam you know anything about a program for sure? Without knowing the code in full.

    But the secret key was not sent to you from 1password.com. It is generated locally. But how can you trust that information?

  • AlwaysSortaCurious
    AlwaysSortaCurious
    Community Member
    Options

    Yup. There is some faith required. And they don't have either component of the password, not the secret key and not the password (if you have faith).

  • Ben
    Ben
    Options

    Without knowing the code in full.

    Even then you have to trust that the binaries you're running were compiled from the supplied code (or compile yourself). For information on what we know, what we don't know, and how we protect what we have, please see this guide:

    https://1pw.ca/whitepaper

    Ben

This discussion has been closed.