As we introduce more layers of security to our lives, we need to be aware (and wary) of what comes with them. Now, more than ever, an emphasis must be placed on security.
As I wrote in a previous post, the most fundamental (also, very unofficial) security principle is to think backwards. How much do you know about the ‘security’ products in your home? That question came up in a discussion last week, and something else struck me.
People trust 1Password with everything.
They store their identities, access to their money, personal documents, and so much more in our product because they believe in us. That’s an honour and a privilege. It’s also a responsibility — one we don’t take lightly.
We’ve made a commitment to you, and part of that commitment is full transparency. So, with this From the Security Desk blog post, the team and I will reveal what we (don’t) know about you.
What does 1Password have access to?
We don’t have access to anything you enter in 1Password. We do store what we’ve dubbed service data, which is used to provide you with our service, and to support you when needed.
Basic information
When you sign up for 1Password, we ask for your name and email address. We like to know your name, so we know how to greet you, but the information you provide is entirely up to you. We use your email address to register and locate your account on the server. We can view the language in which you use 1Password, your account picture (look at that face!), the devices you use, and the names you’ve given those devices (some people get very creative).
Transactional information
We can see the type of account you have, when it was created, and when it was last accessed. We can view your subscription status and your payment method. And, as an identifier, we have the first eight non-secret characters of your Secret Key.
Account information
We can view the total number of vaults, items, and files in your account. We also log the IP address from which you access 1Password. The location information we store is restricted to a few employees, and only accessed when necessary.
What will always be private?
Everything else.
The only thing we see about your 1Password usage comes in the form of Universally Unique Identifiers (UUID), which are generated completely at random. UUIDs contain no information about you, your device, your items, or anything else. I’ll provide a UUID from my account as an example:
FOR5X7UJW5HN7GZI2LVHVYMWEA
We also believe everyone has equivalent rights to privacy, and honour all access requests to the personal information we’ve stored. These requests aren’t limited to EU citizens. If you want to see your own service data, reach out to us — it’s yours, after all.
What will never waver
Our commitment to you.
Your trust in us is paramount, and we cherish it. On behalf of every single one of us here at 1Password, thank you. We’re incredibly humbled and proud to be something you count on.
Megan Barker
Security Scribbler
Tweet about this post