Risks of using 1Password?

[2012Tony2012]

Quote:

Originally Posted by colshine

1Password encrypts the contents locally before syncing to the cloud. I would never have used 1Password unless I thought they took security seriously.

Have there ever been any reports of a user having been compromised?

[AGKyle]

Quote:

Originally Posted by pitaya

would you mind commenting on the security implications when using 1PasswordAnywhere? Most of the 1password contents are encrypted, but 1Password.html and other stuff isn't. Is there anything in place to mitigate the chance of those being modified? Maybe published gpg signatures, or a list of checksums?

Thanks!

I can certainly look into getting something like that published. It may already be but sometimes hard to find this type of information. Added to my todo list and if we do it I'll try to come back here to mention. No promises as my list of things to do is long

I'll look into it on Monday when we have more people around to ask questions.

Do note that 1PasswordAnywhere is local. In that it never sends data to Dropbox, it merely requests the various .1password files to decrypt them locally in the browser.

----------

Quote:

Originally Posted by 2012Tony2012

Fair and valid point.

----------



I do feel more safe and peace of mind using MoxierWallet as my data is encrypted locally on my hard drive only and not in the cloud.

1Password's data is on your local device unless you choose to put it in the cloud. You have options with 1Password. Use them how you see fit.

With 1Password 4 we also offer USB syncing (beta right now) so that you can just plug your device in, run the app and sync your data without it ever touching the network.

We try to provide the best options we can given the size of our small team.

----------

Quote:

Originally Posted by 2012Tony2012

Have there ever been any reports of a user having been compromised?

None that I am aware of. I've been with the company for over a year now.

We are not aware of any holes in the encryption or weak points in the application that could be exploited and we do our best to make breaking into 1Password's data as difficult as possible using industry standard encryption.

[flynz4]

Quote:

Originally Posted by maflynn

That's not entirely true. Many current enterprise databases contain the ability to encrypt data and only the application (or user) that is authorized will decrypt the data - all very seamless and automatic (Oracle for instance can do this).

I think you may have missed my point. Irrespective of how the bank encrypts... their system by definition, has the ability (and necessity) to decrypt your data since they must process your data.

By contrast... 1Password is fully encrypted on your own computer... and even if you choose to share your database... nobody else has your key to decrypt your data. They key is private to you.

/Jim

[keaide]

Thanks for all your replies. I bought the iOS version for 1Password and let it run on my iPhone. Not sure if I should get into that cloud syncing thing. If I decided to do that, what would be the better option? iCould or Dropbox?

The 1Password app for Mac comes with quite a hefty price tag. But without using the syncing function (version 4 for Mac with iCloud syncing), maybe that's not of interest anyway at the moment.

[maflynn]

Quote:

Originally Posted by keaide

iCould or Dropbox?

I think you meant iCloud and not iCould

I prefer Dropbox simply because I can use 1Password on my windows box and so with DropBox I have cross platform syncing.

[dyn]

Quote:

Originally Posted by 2012Tony2012

But it's in the banks cloud, not some third party company I have no idea about.

The same applies to any cloud service. Stuff is stored "somewhere" but we don't know exactly where. Google can't even guarantee us that data is stored in the EU nor can Microsoft or Dropbox. They can't even guarantee on what server it will be stored because they use the same kind of cloud services as banks (and many others) do. They outsource it to some party that can scale up or down the capacity that is necessary.

In most countries there are laws about how to store certain kinds of data. In case of banks it has to be encrypted. However, since anybody can get to data on the internet one must assume that data stored on the internet is compromised already. Let's not forget that it is very difficult to know when your data has been compromised. Most companies tend to keep security leaks/breaches a secret because they fear for their reputation. It's one of the reasons why some countries are thinking about making it mandatory to report such leaks/breaches. It can also take quite some time before a hack is even noticed. That's why you should always assume that data on the internet is already compromised when you put it there. It is up to you as the owner of the passwords to decide if the 1Password encryption (or any other application and/or encryption) is enough. Not everything requires military grade encryption even the NSA drools on

[jpgoldberg]

Quote:

Originally Posted by 2012Tony2012

Have there ever been any reports of a user having been compromised?

[Disclosure. I work for AgileBits, the makers of 1Password]

The short answer is "no". We are not aware of any case in which 1Password has been compromised.

There have been a small handful of cases where people suspected that 1Password had been compromised, but these all turned out to be false alarms.

We've cases where people have written in suspecting that their 1Password data has been compromised. After asking for details, we learned that the people had only one password compromised which they had used over an insecure WiFi. (One, if I recall, had been in a coffee shop, another had been is a public library. These were to services that did not force SSL connections.)

We've also seen a couple of reports in which people were scared because their anti-virsus software reported 1Password data files as infected. Anti-virus scanners are correctly suspicious of encrypted data, but over reacted in terms of 1Password data.

There have been cases where malware, DevilRobber, collected (encrypted) 1Password data (along with lots of other data including OS X keychains) and shipped it back to whoever controlled the malware. We wrote about that here:

http://blog.agilebits.com/2011/11/17...rd-harvesters/

The answer to that one, is that we've designed 1Password with the knowledge that some people would have their 1Password data files stolen, whether through having their computers stolen, their computers compromised, or compromises on synching services.

The data format is designed to keep your secrets safe even if bad guys do get hold of your 1Password data file.

Cheers,

-j

[snberk103]

Quote:

Originally Posted by maflynn

You sure about that. Banks outsource all the time, we have no idea where our financial data is stored.

Quote:

Originally Posted by 2012Tony2012

Fair and valid point.....

Quote:

Originally Posted by dyn

The same applies to any cloud service. Stuff is stored "somewhere" but we don't know exactly where. Google can't even guarantee us that data is stored in the EU nor can Microsoft or Dropbox. They can't even guarantee on what server it will be stored because they use the same kind of cloud services as banks (and many others) do. ...
In most countries there are laws about how to store certain kinds of data. In case of banks it has to be encrypted. ...

However, banks in Canada and the US also have liability insurance in case of theft (other nations probably do too.) If someone steals your money due to breaching a bank's or a 3rd party server - your money is still protected. I would suspect that due to the huge sums involved, the insurance companies will make sure that a bank's servers are very secure.

Also, there is privacy legislation. Canadian banks have had to bring all of their domestic banking computing back into Canada because other nations could not guarantee that their police and intelligence services wouldn't want to peek at client's personal information (with or without a warrant.) I suspect other nation's banks have had to deal with similar situations, and don't in fact contract out their cloud services to 3rd parties in other nations. imho, of course....

[jpgoldberg]

Quote:

Originally Posted by Tilpots

If syncing over Dropbox, an iCloud backup would restore the local file if the Dropbox file corrupted, correct?

[Disclosure: I work for AgileBits, the makers of 1Password]

That is a great, but tricky question. It really depends on the fine details of the nature of the data corruption. 1Password has a conflict resolution mechanisms in these sync operations (mostly to deal with when changes to an item have been made on multiple systems before changes could be synchronized.)

In general, 1Password will try to do the right thing. 1Password will try to merge the data from the different sync sources. Corrupt data (if it is detected as such) should never "win" over valid data in a merge conflict.

I don't want to promise specific behavior without knowing the very particular nature of the data corruption. (Actually I don't want to promise any specific behavior about conflict resolution and data corruption as these are things that are continually being improved.)

So sorry for the vague answer. We've tried to design 1Password to behave intelligently in the face of data corruption, but the details get tricky.

If you've got more questions about this, I'd like to ask you to join our support forums, where you will definitely get a response and see others discussing similar issues.

Cheers,

-j

[jpgoldberg]

Quote:

Originally Posted by pitaya

would you mind commenting on the security implications when using 1PasswordAnywhere? Most of the 1password contents are encrypted, but 1Password.html and other stuff isn't. Is there anything in place to mitigate the chance of those being modified? Maybe published gpg signatures, or a list of checksums?

That is a fantastic question! 1PasswordAnywhere is designed to be used when you don't have any of our software on your computer. As such, there is no way for our software to verify that you getting a valid version of the 1Password.html file which contains the stuff for entering in your Master Password. So this does pose a risk. The protection is that you are fetching it over TLS/SSL from your own Dropbox account. But at the moment, that is the only protection against tampering.

As we move forward with more focus on data authentication, 1PasswordAnywhere remains the odd man out. So we've definitely been looking at stuff like this.

We've looked at possible approaches, including posting checksums on our website for what the 1Password.html file should yield, but we haven't actually done that yet.

I don't think that a GPG signature would be that useful as the circumstances in which someone had GPG available with an appropriate set of public keys that they could trust would be circumstances in which they could use the 1Password applications themselves. We want to make security easy to use and broadly accessible; having people use GPG doesn't really meet that goal.

I'd really like to encourage you to post about this on our forums. I'd like to get a better sense of what sorts of mechanisms (potential) 1Password users would be comfortable using to ensure that the 1PasswordAnywhere files haven't been tampered with.

Cheers,

-j

–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com

[CylonGlitch]

Just tonight I found the first issue with 1Password. I got a new MBP for work, so I set everything up, and I have been using 1Password on Dropbox so all has been great in terms of syncing. Now I had the task of installing my software I use on the new machine. I didn't want to copy over the preferences, I wanted a clean install. One application that I use is called CuteClips3; nice little clipboard manager app. But it's registration code is an image, not a serial number. Anyway, in the past I had added the image file to my CuteClips3 software item in 1Password. Today when I went to retrieve that image I get the following.


Now, oddly enough, I went to my old machine and had no problems getting the data, thus I know it's good in the archive, but for some reason it wouldn't let me pull it out. First time this has happened to me.

BTW, 1Password is one of those pieces of software I cannot live without, it's awesome and made my task tonight so much easier.

[AGKyle]

Quote:

Originally Posted by CylonGlitch

Just tonight I found the first issue with 1Password. I got a new MBP for work, so I set everything up, and I have been using 1Password on Dropbox so all has been great in terms of syncing. Now I had the task of installing my software I use on the new machine. I didn't want to copy over the preferences, I wanted a clean install. One application that I use is called CuteClips3; nice little clipboard manager app. But it's registration code is an image, not a serial number. Anyway, in the past I had added the image file to my CuteClips3 software item in 1Password. Today when I went to retrieve that image I get the following.
Image

Now, oddly enough, I went to my old machine and had no problems getting the data, thus I know it's good in the archive, but for some reason it wouldn't let me pull it out. First time this has happened to me.

BTW, 1Password is one of those pieces of software I cannot live without, it's awesome and made my task tonight so much easier.

That's not fun. Just a heads up that this may require that you contact us directly for support as I may need some more information that we don't want to post to a public forum.

How did you try to export the image?

The easiest way is to just drag the file from 1Password to your Desktop. Though if it's an image you could just double click it and open it in the application that is set to open JPG images. I'm guessing you have to drag the image into the application to get it to register. So, I'd go the drag to Desktop, then drag to application option. This _should_ work, but if it isn't we'll need to get some more information and I'll have you PM and I'll send an email from our support site so I can monitor the discussion and help right away.

[CylonGlitch]

Quote:

Originally Posted by AGKyle

That's not fun. Just a heads up that this may require that you contact us directly for support as I may need some more information that we don't want to post to a public forum.

Not a problem, I'll PM you.

I think I have realized what has happened. Since it was a new install, I pointed 1Password at the dropbox folder. BUT I didn't stop to think that maybe dropbox wasn't fully synced yet. I was able to get to the core of the files and thus why 1Password mostly worked, but when I tried to pull out something larger, it wouldn't work (dragging to desktop, export, anything resulted in the same error).

I just retried, the machine was on all night for other things, and now it works fine. I'm guessing the dropbox sync was in progress before and now it's not.

So chalk this one up as User Error, I was impatient.

[AGKyle]

Quote:

Originally Posted by CylonGlitch

Not a problem, I'll PM you.

I think I have realized what has happened. Since it was a new install, I pointed 1Password at the dropbox folder. BUT I didn't stop to think that maybe dropbox wasn't fully synced yet. I was able to get to the core of the files and thus why 1Password mostly worked, but when I tried to pull out something larger, it wouldn't work (dragging to desktop, export, anything resulted in the same error).

I just retried, the machine was on all night for other things, and now it works fine. I'm guessing the dropbox sync was in progress before and now it's not.

So chalk this one up as User Error, I was impatient.

I think we all get impatient from time to time. Nothing necessarily wrong with that

Just so everyone else reading along can know some details.

1Password's data file is technically a "bundle" in OS X. It appears to be a file, but in reality it's a folder with a bunch of files in it. You can tell if something is a bundle by right clicking it and seeing "Show Package Contents" in Finder. This indicates a bundle. All applications are bundles in OS X.

What this means is that as CylonGlitch pointed out if the sync with Dropbox isn't complete there may be files inside the bundle that aren't available yet Once the download completes with Dropbox it'll work as expected.

In this case the error probably could've been more informative. We probably won't get this changed in version 3, but I've added it to my list of things to try to test in version 4 and see if we can improve the error messages more there.