top | item 34104998

(no title)

bb101 | 3 years ago

1Password also uses a secret key in addition to your master password to encrypt your data. You enter the secret key when setting up the account on a new device.

So a hacker would have to get hold of the encrypted data, together with the secret key for each account. The secret key isn't stored by 1Password, requiring the hacker to brute force it. However, each key provides 128 bits of entropy, which makes it infeasible to brute force with current technology.

More info: https://support.1password.com/secret-key-security/

discuss

jb1991|3 years ago

But the issue in this thread is less about how the encryption is done compared to the amount of data that is actually encrypted. I wonder if 1Password encrypts everything, in addition to passwords.

TechBro8615|3 years ago

My understanding is that they do, but there are some caveats. For example the feature that tells you if 2fa is available for a website presumably requires sending an HTTP request to 1Password servers including the domain of the website.

Although it's possible they implement this with a local bloom filter or something. I'm just speculating. And either way, those requests would only end up stored in some server logs somewhere, rather than in a database row directly linked to your vault.

EDIT: It is in fact done locally. :) see: https://support.1password.com/watchtower-privacy/