‘Can I trust a password manager that stores my data in the cloud?'
It’s a good question to ask.
After all, your passwords, credit cards, and other private information are precious. And when you choose a password manager with cloud-based syncing, you’re relying on someone else to watch and guard the server where your data is stored.
But to answer the question: Yes, you can trust 1Password, which uses the cloud to keep your data in sync across your devices.
Our systems are designed so that your data would remain safe even if an attacker gained access to our servers.
Here’s how it works.
What would happen if 1Password’s servers were breached
The data you store in 1Password is always kept fully encrypted on our servers. And when we say “data”, we mean everything, including the names of your vaults, and the website URLs associated with each saved password.
If an attacker somehow infiltrated one of our servers, the best they could hope to find is reams and reams of scrambled information. All of this encrypted gibberish would be useless without the means to decrypt it.
Two ingredients are required to access and read your vault data:
Let’s take each of them in turn, and how they would protect your data in the event of a breach.
How your account password protects your data
Your account password is chosen by you. Once you’ve set up 1Password and saved all your other logins, it’s the only password you’ll need to remember.
Your account password is never stored by or visible to us. So if an attacker gained access to our servers, they wouldn’t find your account password and couldn’t, therefore, unscramble your encrypted data.
We understand that many people will find it tough to choose a strong but memorable password. That’s why we don’t rely solely on the strength of your chosen password to protect your private data.
Enter the Secret Key.
How the Secret Key protects your data
The Secret Key is a security feature that’s unique to 1Password. It’s an account-specific, 128-bit strong encryption ingredient that contains 34 letters and numbers, separated by dashes.
In simple terms, every Secret key represents 340,282,366,920,938,463,463,374,607,431,768,211,456 possible combinations. Cracking it would be an insurmountable task for even the most powerful supercomputer.
The Secret Key is generated on your device when you first create your account. It’s never sent to us in full. Only you have access to it.
We don’t expect you to memorize your Secret Key – it’s too long for that. Instead, it’s stored securely on all the devices you’ve used to sign in to your account. Your unique Secret Key is combined with your account password to create the full encryption key that encrypts everything you store in 1Password.
This process happens on your device, which is why we don’t need to store either your account password or Secret Key on our servers.
How TLS and SRP protect your data
Since we never see your account password or Secret Key, we need another way to confirm your identity and make sure your encrypted data doesn’t fall into the wrong hands.
Here’s how we protect you from a theoretical attacker trying to impersonate 1Password and trick you into sharing your account details:
Industry-standard Transport Layer Security (TLS) provides a first line of defense, but we’ve bolstered it with a custom protocol known as Secure Remote Password (SRP) that handles communication between your devices and our servers. Unlike a traditional login process, SRP ensures you never have to share sensitive information.
With SRP, your account password and Secret Key are used to generate a new key – one that’s entirely separate from the one that encrypts your 1Password data.
Trust our track record
1Password has been around for more than a decade. And in that time, we’ve always given our customers’ data the protection it deserves.
To ensure your information stays secure, we’re routinely audited by third-party security experts. We also publish the reports produced by each auditor.
In addition, 1Password has a bug bounty program with a top reward of $1 million.
This is on top of the time and effort our security team invests every day to ensure your data is kept as secure as possible.
The bottom line
Can you trust 1Password to look after your passwords, credit cards, and other digital secrets? Absolutely.
The idea that it’s safer to entrust account credentials, payment info, documents, and identities that make up our modern lives to someone else can feel counterintuitive.
But keeping all of this data to yourself means that you – and only you – are responsible for protecting it. That could make you a more attractive mark for thieves.
Consider things from the attacker’s perspective: what’s more likely to succeed … breaking into a heavily fortified system of interlocking security protocols designed and staffed by a team of experts whose job it is to keep you out? Or snatching an individual’s private server, laptop, or password notebook?
Here at 1Password, every decision we make is meticulously tested and thought through to ensure it prioritizes the safety of your data above everything else. That includes the design of our cloud-based storage and syncing services.
But even if our infrastructure was somehow breached, you can rest assured your data wouldn’t be at risk.