1P Blog "What if 1Password gets hacked?"

alex_pres_tech
alex_pres_tech
Community Member

Hello,

I loved this post and it is very reassuring. I do have one question about a particular passage,

 "With Secure Remote Password, your Master Password and Secret Key are used to generate a new key, entirely separate from the one that encrypts your data. 1Password on your device sends the 1Password server a series of puzzles. Once solved, these prove to the server that you know your Master Password and Secret Key without having to share them. (Likewise, the server has to prove to your device that it holds the data you’re asking for). These puzzles are different every time the app connects to the server so they can never be replicated by an outside observer."

While this passage addresses the 1P app, etc., I am wondering about 1Password.com. When logging into 1P.com, we are asked to enter our email address, secret key and master password. The article does not address any aspect of 1P.com, so my question is what happens to our secret key, master password and email address when we login? If 1P were in fact hacked, can this info be accessed?

Thank you,


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • DanielP
    DanielP
    1Password Alumni

    @alex_pres_tech:

    When you visit 1Password.com, your credentials are still handled client-side only. What you are seeing there is not a website, but rather an app that is served and run locally inside your browser. Even though it looks like you are entering your Master Password on a website, everything still happens locally like in any other 1Password client. The difference is that this web app is not installed directly inside your operating system as a regular app, but instead runs directly inside the browser.

    If you would like to know the design details behind our implementation, I encourage you to read our security white paper. It goes into a lot of detail into several aspects of our architecture, including clarifying how we handle secrets. And if you have any questions about that document, by all means please let me know and I'll be happy to go into the details with you.

    ===
    Daniel
    1Password Security Team

This discussion has been closed.