1password Security

by



Security and privacy About your Secret Key Your Secret Key keeps your 1Password account safe by adding another level of security on top of your Master Password. Your Secret Key is 34 letters and numbers, separated by dashes. 1Password is SOC 2 type 2 certified. SOC, or Service Organization Control, is an independent auditing process that makes sure that 1Password securely manages data to protect customers’ interests and privacy. To request a copy of the SOC 2 report, contact the 1Password Business team. Learn more about SOC 2 certification of 1Password. Disclaimer: I work for AgileBits, makers of 1Password. Thanks for asking me to answer this, Marc Bodnick. The short answer is that your data is safe in 1Password. Fundamental design choices were made to protect everything you store in 1Password.

Dale Myers posted a blog entry a few days ago about a problem he’d found in 1Password: while passwords in AgileBits’ vaults were secure, metadata was stored in the clear. And this was intentional, allowing web-based access to the vault to retrieve information without requiring the 1Password app.

Myers wasn’t incorrect and he wasn’t over-sensationalizing the situation. He also provided a recommendation for a solution, one that AgileBits endorsed in its blog entry responding to his post. And he continues to use the product.

Though it’s obvious, neither Myers nor AgileBits explicitly noted one important factor, however: A sniffer has to gain access to your vault. If you posted it on a website that you set up for only you to use, perhaps someone else would find or a security breach at a hosting company might provide a way in.

But if you use Dropbox for syncing, there’s little chance for easy vacuuming up of your data. I have my 1Password vault synced to two Macs and two iOS devices using Dropbox. I have two-factor authentication enabled for Dropbox, and FileVault, Touch ID, and a passcode in use on those computers and mobiles. Someone has to either get access to my Dropbox credentials and second factor, or get access to my devices in an unlocked state to grab my file. (It’s also possible Dropbox would experience a hack that would allow files to be obtained without credentials or physical access, but that would expose vast amounts of information of all kinds, rather than being a targeted effort to obtain a 1Password vault.)

Even if someone should retrieve your entire vault, the information they could get is only useful to learn about you, rather than to break into your accounts. The passwords themselves remain protected in an extremely strong manner that requires a huge amount of computational effort and substantial time to crack.

But even losing metadata makes some people nervous, and rightly so. In the wrong hands, information about what you do—where you have accounts—could be used for identity theft or harassment.

Security

1password Security Key

Moving on OP

The format Myers objected to, Agile Keychain, was developed in 2008 by AgileBits as a way to allow granular updates of individual password entries without overloading the mobile device processing power that was available when the iPhone 3G was fresh and fancy. The company later developed a newer format, called OPVault, which encrypts nearly everything. Myers raised a good point by noting that Agile Keychain remains in wide use. (OPVault leaves the names of folders and categories unencrypted, as well as timestamp data, but this offers little of utility to crackers compared to URLs and user names.)

As AgileBits noted in its blog entry, it didn’t migrate everyone from the old to the new, because there remained a mix of software releases and devices. Not-that-long-gone versions of 1Password—1Password 3 and older for Mac and 1Password 4 and older for iOS—can’t read OPVault, and the company didn’t want to break compatibility in the interests of security.

(OPVault is always used with iCloud, by the way. If you use iCloud, I generally recommend enabling two-step verification now and two-factor authentication as Apple rolls out its revised system more broadly in the coming months.)

You can imagine how this would have looked to customers, too. “I upgraded on my iPhone, and now my OS X version says I have to upgrade to read my passwords! What are you up to?!” Instead, they erred on the side of looking backward. AgileBits writes that they’re going to step up migration to the new format in upcoming releases across all platforms they support.

However, you can switch over today if you’re concerned about the metadata in your vault becoming accessible to anyone but yourself with just a few well-documented steps at the company’s website. Just check that all your devices have compatible versions of 1Password.

I went through them and it went off tickety-boo. I made the change in OS X, and then launched 1Password for iOS, where I went to the Sync settings and pointed the app to the new file. Because the entries were identical, just in a different format, it only took a couple of seconds for the sync process to show that it was up to date.

1password Security Issues

As capability improves and security follows, it will be more and more important that companies keep in mind and disclose to customers the decisions they made for efficiency in the past that are no longer needed. AgileBits didn’t drag its customers painfully to the new format—that’s an Apple move! Apple has no sentiment about the necessity of moving forward with no path back. But now that it’s taken stock with a prod from an outsider, we’ll all reduce our attack profile as a result.

Update: This article was updated to reflect the potential that a Dropbox breach would also allow 1Password data to be obtained, and to note that OPVault doesn’t encrypt folder and category names, nor timestamps.

Your Secret Key keeps your 1Password account safe by adding another level of security on top of your Master Password.

Your Secret Key is 34 letters and numbers, separated by dashes. It’s stored on devices you’ve used to sign in to your account, and in your Emergency Kit. Only you have access to it. Your Secret Key works with your Master Password – which only you know – to encrypt your data and keep it safe.

Your Secret Key is:

  • Yours. Everyone has their own unique Secret Key.
  • Secret. Your Secret Key was created on your own device. We have no record of your Secret Key and can’t recover it.
1password

Your Secret Key is not:

  • A license key or serial number. It’s an encryption key that’s unrelated to your purchase.
  • A backup code. It doesn’t let you sign in if you forget your Master Password.

Protect your Secret Key

No one can access your 1Password data without your Secret Key. That includes you, so make sure you’re always able to find it.

1password Security
  • Keep it secret. Don’t send it to us or make it public.
  • Keep it safe. Save your Emergency Kit, which contains your Secret Key. Then you’ll be able to find it, even if something happens to your devices.

How your Secret Key protects you

Your Secret Key and your Master Password both protect your data. They’re combined to create the full encryption key that encrypts everything you store in 1Password.

Because you need to memorize your Master Password, it can only be so strong – about 40 bits of entropy on average. Your Secret Key doesn’t need to be memorized, so it can be much stronger. It has 128 bits of entropy, making it infeasible to guess no matter how much money or computing power an attacker has available.

These differences in entropy and memorability allow your Master Password and Secret Key to protect you from different kinds of threats:

  • Your Master Password protects your data on your devices. Someone who has access to your devices or backups won’t be able to unlock 1Password without your Master Password, which only you know.
  • Your Secret Key protects your data off your devices. Someone who attempts a brute-force attack on our servers won’t be able to decrypt your data without your Secret Key, which we never have.

Like your Master Password, your Secret Key is never sent to us. But because you can’t memorize your Secret Key, 1Password stores copies of it for you, so you can:

How Safe Is 1password

  • Unlock 1Password without entering your Secret Key every time. It’s stored in the 1Password apps and browsers you’ve used to sign in to your account on 1Password.com.*
  • Have peace of mind if you lose a device. Encrypted copies of your Secret Key are stored in your device backups and keychains to provide data loss protection. If you have iCloud Keychain turned on and lose your Mac, iPhone, or iPad, you can restore from a backup and unlock 1Password with just your Master Password. It’s the same for Android backups.

*You won’t be able to find your Secret Key in Safari unless you sign in to your 1Password account at least once every 7 days.

1password Security Review

Learn more

The first two characters of your Secret Key are the version number (“A3”) followed by a 6‑character identifier, both of which are known to us and used to aid in troubleshooting.

Is One Password Secure

The Secret Key was called the “Account Key” in previous versions of 1Password, and may still be labeled that way in your Emergency Kit. They are one and the same.

1password Security Breach

To find out more about the format of the Secret Key and how it is used in encryption, check out our 1Password Security Design White Paper