Security and privacy

How Secure Remote Password protects your 1Password account

Learn how 1Password uses Secure Remote Password to authenticate your account and protect your information in transit.

Your 1Password account is protected by multiple layers of security. Your Master Password and Secret Key encrypt your data end-to-end, and Secure Remote Password (SRP) prevents anyone from stealing your credentials or reading any non-secret information sent to the server.

Your credentials are never sent over the network

Most websites send your password to a server when you try to sign in, leaving it vulnerable to interception. Your 1Password account uses the SRP handshake protocol to authenticate without sending your Master Password or Secret Key over the Internet, so they can’t be stolen in transit.

Your information is protected by an additional encryption key

When you sign in to your 1Password account, your information is protected by Transport Layer Security (TLS). With SRP, an additional session encryption key protects your information even if someone manages to decrypt TLS. This includes non-secrets like your name and email address.

The encryption key is different for each session, so an attacker who records one authentication session won’t be able to play that back in an attempt to authenticate.

Your connection is always to the genuine 1Password server

The SRP verification process proves to the server that the 1Password app has a secret that can only be derived using the correct Master Password and Secret Key. It also proves to the 1Password app that the server has the correct verifier, which guarantees that the 1Password app is communicating with the 1Password server, not an impostor.

Learn more

Published: