Serverside Master Passwords, I'm confused??

jdc
jdc
Community Member

I've been a 1Password user for probably a decade, happily using it synced with dropbox. Pretty happy with the whole client side only massword thing, but password vault stored in the cloud idea.

Yesterday I went to set up a family subscription (having finally convinced others in the household to do the right thing :chuffed: ) and was a bit taken aback to be asked to enter my master password on a website... so just backed out of it.

What's the deal with that? Are master passwords now no-longer client side only? I'm confused.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • DanielP
    DanielP
    1Password Alumni

    @jdc:

    Master Passwords are still client-side only. What you are seeing there is not a website, but rather an app that is served and run locally inside your browser. If you have a 1Password Families account, you also have access to your data on 1Password.com (rather than on Dropbox): the way this is done is by delivering a local app that runs directly inside your browser.

    Even though it looks like you are entering your Master Password on a website, everything still happens locally like in any other 1Password client. The difference is that this web app is not installed directly inside your operating system as a regular app, but instead runs directly inside the browser.

    If you would like to know the design details behind our implementation, I encourage you to read our security white paper. It goes into a lot of detail into several aspects of our architecture, including clarifying how we handle secrets. And if you have any questions about that document, by all means please let me know and I'll be happy to go into the details with you.

    ===
    Daniel
    1Password Security Team

  • jdc
    jdc
    Community Member

    That's a relief! Perhaps that should be highlighted in some way during the onboarding? It felt like I was signing up for a conventional web service, which raised an eyebrow.

    Thanks!

  • Thanks for the feedback, @jdc. I'll suggest to the team that we try to make it more clear during the signup process that the Master Password and Secret Key are kept local to your computer, despite appearances based on the web app.

    Ben

  • blacknell
    blacknell
    Community Member

    I had exactly the same reaction. I'm testing the family package because I think the extra ability to recover vaults in a disaster is worth having.

    However, I was super uncomfortable when Firefox asked if I wanted to save the password for this website. My master password!*? No way. So obviously I said no, but my family members are not so sharp or attentive.

    How on earth can this is possible?

    Paul
    PS. I'm in the same situation as above. Decade of 1P and now want to move on to 7.x

  • Hi @blacknell, great question! As far as I'm aware, there is no standard way to prevent things like "Save this password" in a web browser. There certainly are ways of doing it, but these are normally workarounds that aren't officially supported by browsers and make it far more difficult (or sometimes impossible) for all password managers to work properly. There are times where you may want to fill in your 1Password account details into 1Password.com, so stopping 1Password from working on our own app would be a little strange to say the least! It's why we recommend turning off the built-in password manager in your browser instead.

This discussion has been closed.