Security and Design Overview
- The goals and design of 1Password’s security
- What kind of encryption does 1Password use?
The goals and design of 1Password’s security
- 1Password is designed to make it easier for people to behave securely than insecurely.
- 1Password allows you to have strong and unique passwords for each and every site and service you use.
- By integrating with your web browser, 1Password minimizes the risks of copying and pasting passwords on your system.
- By integrating with your web browser, 1Password thwarts many phishing attempts by only filling in passwords on the appropriate websites.
- 1Password uses well trusted standard library implementations of cryptographic functions
- 1Password uses PBKDF2 to slow down automated the Master Password guessing software
- Only the minimal amount of data that needs to be available is decrypted at any one time.
- 1Password does all of its encryption on your local device.
- 1Password never writes decrypted data to disk nor transmits your data
- We have no information about you or about your 1Password data. 1Password never sends any information to us about you or your use of 1Password. We have neither the means nor the desire to violate your privacy.
- 1Password uses a robust data format and makes backups to help protect against data loss.
- 1Password4 uses authenticated encryption to prevent data tampering
- We make the details of our data format and security design public so that these can benefit from public expert scrutiny.
- We understand cryptography and security so that we can follow and evaluate the latest research
What kind of encryption does 1Password use?
The short answer
The short answer is 1Password uses the best available encryption from well trusted and scrutinized cryptographic libraries. It is designed in accordance with the recommendations of the cryptographic research community.
It is designed so that if anyone (including us) were to get a hold of your 1Password data there is no feasible way for them to decrypt your secrets without knowing your Master Password. We’ve even designed 1Password to make things extra difficult for systems that might try guessing your Master Password.
The buzzword compliant answer
1Password 4’s Cloud Keychain format uses Encrypt-then-MAC for authenticated encryption with AES-CBC-256 for encryption and HMAC-SHA256 for Message Authentication. Key derivation uses PBKDF2-HMAC-SHA512. On Mac and iOS 1Password uses
SecRandomCopyBytes() from Apple’s security framework.
The gory details
You can find the the full description of all of the encryption used and the rationale for that design in our Cloud Keychain design document. We are proud to make our data design details public and open to expert scrutiny.