It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
Can we get a detailed explanation for the issue raised by mia RE: another user on their login page?
Specifically, the issue raised by @mia a couple of weeks ago wherein it appears that another user was listed on their 1Password login page. Link to the closed thread:
https://1password.community/d...
1P_Ben
1Password Team
1Password TeamHi folks,
Thanks for following up on this. I can understand how a report like this would sound alarming. So many apps and services have designs that allow for such chaos to happen. The majority of services out there, in fact, have no protections in place to cryptographically prevent this, which is terrifying.
Thankfully 1Password is completely different. Security and Privacy are the foundation of our design. And this foundation is cryptographically enforced. This means it's not just a policy that prevents users from seeing other people's items but rather is mathematically infeasible for anyone to break into another account. And thanks to the Secret Key, this remains true even for accounts with weak passwords.
Long story short, because all 1Password data is cryptographically protected using the account password it would be impossible to access that data without that password and secret key. For anyone joining the conversation who might not be familiar, 1Password utilizes Two-Secret Key Derivation (2SKD), which is unique to 1Password. Frankly this is what allows us to sleep at night. It ensures that what is stored on our servers is of little if any value.
If you're interested in learning more about our security model we offer a guide which provides a good overview, as well as an in-depth 1Password Security Design White Paper. On the subject of privacy, we have a guide, and our formal privacy policy is also available.
@mia:
Was a little disappointed this was never dug into a bit deeper but I understand as AgileBits has a heavy development load to focus on right now. I was brushed off others as well and in every case there was an actual security breach at the company.
I'm sorry we gave you the impression we brushed you off. That wasn't our intent. We take account privacy very seriously and are unable to share details about other accounts. We did a full investigation internally and everything is as it should be. I can say that our investigation did not find anything wrong with 1Password.
Both security and privacy are foundational to our business. We appreciate that this report was made so that we could fully evaluate the situation.
Ben
