I haven't read the 1Password whitepaper, could you elaborate? Would be curious what 1P is doing that is substantially more secure than what LP is doing (not counting the braindead stuff like not encrypting website URLs) Having been a 1P user, my guess is that, unlike LastPass, in 1P the data used to encrypt your vault includes both a completely random key and your master password, while in LastPass it's just your master password. Is there anything else?
Yes, 1P uses a random key additionally to the master key, like you described. That's the one 1P asks you to print out and hide somewhere, and which you also need when opening a vault on a new device. I don't know what LP does, but here are some notable things I gathered from the 1P whitepaper:
- 1P has a multi-layered approach: The master key + random key (+ salts) decrypt the user's private key, which in turn is used to decrypt the vault key (because the user's public key was used to encrypt the vault key). The vault key is used to decrypt the vault's items (each individually). Giving a new member access to a vault is done by encrypting the vault key with that member's public key. (I guess that's the same for LP)
- 1P encrypts all field contents. BTW metadata (e.g. URIs) and content fields are encrypted separately, such that the former can be decrypted faster for UI and search purposes.
- 1P uses the Secure Remote Password protocol, which allows clients to authenticate with the 1P server without ever sending the actual password. Instead, during account creation, a derived key ("v") is sent from the client to the server that will be used to generate a shared secret during every authentication (without sending "v" again). "v" has been salted with the user's email address. So, by arriving at the same shared secret as the client, the server can be sure of three facts: 1) The user entered the correct master key, 2) the user's device has the correct random key in store, and 3) the user's given email matches the email that was defined when creating the vault. In the paper they write that this authentication process is actually the reason why 1P requires a random key in addition to the master key: It's impossible to brute-force the master key even if an attacker gains access to "v".
- Vault recovery with 1P prevents the team "admin" from receiving the recovered vault's data (they do learn the vault key though, that's a necessity).
- 1P are constantly evaluating whether stronger encryption schemes (e.g. elliptic curve, or, further out, post quantum crypto) need to be implemented, and if such an update happens, they have already mapped out how vaults are upgraded. I think they increased PBKDF2 passes from 10k to 100k without breaking anything. IMO a higher pass count would be better, but that would make for a quite slow UI.
