Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Apple Applications > Mac Applications and Mac App Store

Reply
 
Thread Tools Search this Thread Display Modes
Old Feb 15, 2013, 04:33 PM   #26
2012Tony2012
macrumors 6502a
 
Join Date: Dec 2012
Quote:
Originally Posted by colshine View Post
1Password encrypts the contents locally before syncing to the cloud. I would never have used 1Password unless I thought they took security seriously.
Have there ever been any reports of a user having been compromised?
2012Tony2012 is offline   0 Reply With Quote
Old Feb 15, 2013, 05:10 PM   #27
AGKyle
macrumors regular
 
Join Date: Jun 2012
 
see vendor information in user profile
Quote:
Originally Posted by pitaya View Post
would you mind commenting on the security implications when using 1PasswordAnywhere? Most of the 1password contents are encrypted, but 1Password.html and other stuff isn't. Is there anything in place to mitigate the chance of those being modified? Maybe published gpg signatures, or a list of checksums?

Thanks!
I can certainly look into getting something like that published. It may already be but sometimes hard to find this type of information. Added to my todo list and if we do it I'll try to come back here to mention. No promises as my list of things to do is long

I'll look into it on Monday when we have more people around to ask questions.

Do note that 1PasswordAnywhere is local. In that it never sends data to Dropbox, it merely requests the various .1password files to decrypt them locally in the browser.

----------

Quote:
Originally Posted by 2012Tony2012 View Post
Fair and valid point.

----------



I do feel more safe and peace of mind using MoxierWallet as my data is encrypted locally on my hard drive only and not in the cloud.
1Password's data is on your local device unless you choose to put it in the cloud. You have options with 1Password. Use them how you see fit.

With 1Password 4 we also offer USB syncing (beta right now) so that you can just plug your device in, run the app and sync your data without it ever touching the network.

We try to provide the best options we can given the size of our small team.

----------

Quote:
Originally Posted by 2012Tony2012 View Post
Have there ever been any reports of a user having been compromised?
None that I am aware of. I've been with the company for over a year now.

We are not aware of any holes in the encryption or weak points in the application that could be exploited and we do our best to make breaking into 1Password's data as difficult as possible using industry standard encryption.
__________________
Kyle
AgileBits - Makers of 1Password
http://support.agilebits.com

Last edited by AGKyle; Feb 18, 2013 at 10:07 AM.
AGKyle is offline   0 Reply With Quote
Old Feb 16, 2013, 01:34 AM   #28
flynz4
macrumors 68030
 
Join Date: Aug 2009
Location: Portland, OR
Quote:
Originally Posted by maflynn View Post
That's not entirely true. Many current enterprise databases contain the ability to encrypt data and only the application (or user) that is authorized will decrypt the data - all very seamless and automatic (Oracle for instance can do this).
I think you may have missed my point. Irrespective of how the bank encrypts... their system by definition, has the ability (and necessity) to decrypt your data since they must process your data.

By contrast... 1Password is fully encrypted on your own computer... and even if you choose to share your database... nobody else has your key to decrypt your data. They key is private to you.

/Jim
flynz4 is offline   0 Reply With Quote
Old Feb 18, 2013, 06:49 AM   #29
keaide
Thread Starter
macrumors regular
 
Join Date: Nov 2010
Thanks for all your replies. I bought the iOS version for 1Password and let it run on my iPhone. Not sure if I should get into that cloud syncing thing. If I decided to do that, what would be the better option? iCould or Dropbox?

The 1Password app for Mac comes with quite a hefty price tag. But without using the syncing function (version 4 for Mac with iCloud syncing), maybe that's not of interest anyway at the moment.
keaide is offline   0 Reply With Quote
Old Feb 18, 2013, 07:20 AM   #30
maflynn
Moderator
 
maflynn's Avatar
 
Join Date: May 2009
Location: Boston
Quote:
Originally Posted by keaide View Post
iCould or Dropbox?
I think you meant iCloud and not iCould

I prefer Dropbox simply because I can use 1Password on my windows box and so with DropBox I have cross platform syncing.
__________________
~Mike Flynn
maflynn is offline   0 Reply With Quote
Old Feb 18, 2013, 02:25 PM   #31
dyn
macrumors 65816
 
Join Date: Aug 2009
Location: .nl
Quote:
Originally Posted by 2012Tony2012 View Post
But it's in the banks cloud, not some third party company I have no idea about.
The same applies to any cloud service. Stuff is stored "somewhere" but we don't know exactly where. Google can't even guarantee us that data is stored in the EU nor can Microsoft or Dropbox. They can't even guarantee on what server it will be stored because they use the same kind of cloud services as banks (and many others) do. They outsource it to some party that can scale up or down the capacity that is necessary.

In most countries there are laws about how to store certain kinds of data. In case of banks it has to be encrypted. However, since anybody can get to data on the internet one must assume that data stored on the internet is compromised already. Let's not forget that it is very difficult to know when your data has been compromised. Most companies tend to keep security leaks/breaches a secret because they fear for their reputation. It's one of the reasons why some countries are thinking about making it mandatory to report such leaks/breaches. It can also take quite some time before a hack is even noticed. That's why you should always assume that data on the internet is already compromised when you put it there. It is up to you as the owner of the passwords to decide if the 1Password encryption (or any other application and/or encryption) is enough. Not everything requires military grade encryption even the NSA drools on
dyn is offline   0 Reply With Quote
Old Feb 18, 2013, 02:27 PM   #32
jpgoldberg
macrumors newbie
 
Join Date: Feb 2013
Location: Plano Texas & Crested Butte Colorado, USA
 
see vendor information in user profile
Quote:
Originally Posted by 2012Tony2012 View Post
Have there ever been any reports of a user having been compromised?
[Disclosure. I work for AgileBits, the makers of 1Password]

The short answer is "no". We are not aware of any case in which 1Password has been compromised.

There have been a small handful of cases where people suspected that 1Password had been compromised, but these all turned out to be false alarms.

We've cases where people have written in suspecting that their 1Password data has been compromised. After asking for details, we learned that the people had only one password compromised which they had used over an insecure WiFi. (One, if I recall, had been in a coffee shop, another had been is a public library. These were to services that did not force SSL connections.)

We've also seen a couple of reports in which people were scared because their anti-virsus software reported 1Password data files as infected. Anti-virus scanners are correctly suspicious of encrypted data, but over reacted in terms of 1Password data.

There have been cases where malware, DevilRobber, collected (encrypted) 1Password data (along with lots of other data including OS X keychains) and shipped it back to whoever controlled the malware. We wrote about that here:

http://blog.agilebits.com/2011/11/17...rd-harvesters/

The answer to that one, is that we've designed 1Password with the knowledge that some people would have their 1Password data files stolen, whether through having their computers stolen, their computers compromised, or compromises on synching services.

The data format is designed to keep your secrets safe even if bad guys do get hold of your 1Password data file.

Cheers,

-j

Last edited by dejo; Feb 18, 2013 at 05:00 PM. Reason: Removed simulated signature.
jpgoldberg is offline   0 Reply With Quote
Old Feb 18, 2013, 03:44 PM   #33
snberk103
macrumors 603
 
Join Date: Oct 2007
Location: An Island in the Salish Sea
Quote:
Originally Posted by maflynn View Post
You sure about that. Banks outsource all the time, we have no idea where our financial data is stored.
Quote:
Originally Posted by 2012Tony2012 View Post
Fair and valid point.....
Quote:
Originally Posted by dyn View Post
The same applies to any cloud service. Stuff is stored "somewhere" but we don't know exactly where. Google can't even guarantee us that data is stored in the EU nor can Microsoft or Dropbox. They can't even guarantee on what server it will be stored because they use the same kind of cloud services as banks (and many others) do. ...
In most countries there are laws about how to store certain kinds of data. In case of banks it has to be encrypted. ...
However, banks in Canada and the US also have liability insurance in case of theft (other nations probably do too.) If someone steals your money due to breaching a bank's or a 3rd party server - your money is still protected. I would suspect that due to the huge sums involved, the insurance companies will make sure that a bank's servers are very secure.

Also, there is privacy legislation. Canadian banks have had to bring all of their domestic banking computing back into Canada because other nations could not guarantee that their police and intelligence services wouldn't want to peek at client's personal information (with or without a warrant.) I suspect other nation's banks have had to deal with similar situations, and don't in fact contract out their cloud services to 3rd parties in other nations. imho, of course....
__________________
My friends, love is better than anger. Hope is better than fear. Optimism is better than despair. So let us be loving, hopeful and optimistic. And we'll change the world. - Jack Layton
snberk103 is offline   0 Reply With Quote
Old Feb 18, 2013, 04:56 PM   #34
jpgoldberg
macrumors newbie
 
Join Date: Feb 2013
Location: Plano Texas & Crested Butte Colorado, USA
 
see vendor information in user profile
Quote:
Originally Posted by Tilpots View Post
If syncing over Dropbox, an iCloud backup would restore the local file if the Dropbox file corrupted, correct?
[Disclosure: I work for AgileBits, the makers of 1Password]

That is a great, but tricky question. It really depends on the fine details of the nature of the data corruption. 1Password has a conflict resolution mechanisms in these sync operations (mostly to deal with when changes to an item have been made on multiple systems before changes could be synchronized.)

In general, 1Password will try to do the right thing. 1Password will try to merge the data from the different sync sources. Corrupt data (if it is detected as such) should never "win" over valid data in a merge conflict.

I don't want to promise specific behavior without knowing the very particular nature of the data corruption. (Actually I don't want to promise any specific behavior about conflict resolution and data corruption as these are things that are continually being improved.)

So sorry for the vague answer. We've tried to design 1Password to behave intelligently in the face of data corruption, but the details get tricky.

If you've got more questions about this, I'd like to ask you to join our support forums, where you will definitely get a response and see others discussing similar issues.

Cheers,

-j

Last edited by dejo; Feb 18, 2013 at 04:59 PM. Reason: Removed simulated signature.
jpgoldberg is offline   0 Reply With Quote
Old Feb 19, 2013, 03:35 PM   #35
jpgoldberg
macrumors newbie
 
Join Date: Feb 2013
Location: Plano Texas & Crested Butte Colorado, USA
 
see vendor information in user profile
Quote:
Originally Posted by pitaya View Post
would you mind commenting on the security implications when using 1PasswordAnywhere? Most of the 1password contents are encrypted, but 1Password.html and other stuff isn't. Is there anything in place to mitigate the chance of those being modified? Maybe published gpg signatures, or a list of checksums?
That is a fantastic question! 1PasswordAnywhere is designed to be used when you don't have any of our software on your computer. As such, there is no way for our software to verify that you getting a valid version of the 1Password.html file which contains the stuff for entering in your Master Password. So this does pose a risk. The protection is that you are fetching it over TLS/SSL from your own Dropbox account. But at the moment, that is the only protection against tampering.

As we move forward with more focus on data authentication, 1PasswordAnywhere remains the odd man out. So we've definitely been looking at stuff like this.

We've looked at possible approaches, including posting checksums on our website for what the 1Password.html file should yield, but we haven't actually done that yet.

I don't think that a GPG signature would be that useful as the circumstances in which someone had GPG available with an appropriate set of public keys that they could trust would be circumstances in which they could use the 1Password applications themselves. We want to make security easy to use and broadly accessible; having people use GPG doesn't really meet that goal.

I'd really like to encourage you to post about this on our forums. I'd like to get a better sense of what sorts of mechanisms (potential) 1Password users would be comfortable using to ensure that the 1PasswordAnywhere files haven't been tampered with.

Cheers,

-j

-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com
jpgoldberg is offline   0 Reply With Quote
Old Feb 20, 2013, 12:33 AM   #36
CylonGlitch
macrumors 68030
 
CylonGlitch's Avatar
 
Join Date: Jul 2009
Location: SoCal
Just tonight I found the first issue with 1Password. I got a new MBP for work, so I set everything up, and I have been using 1Password on Dropbox so all has been great in terms of syncing. Now I had the task of installing my software I use on the new machine. I didn't want to copy over the preferences, I wanted a clean install. One application that I use is called CuteClips3; nice little clipboard manager app. But it's registration code is an image, not a serial number. Anyway, in the past I had added the image file to my CuteClips3 software item in 1Password. Today when I went to retrieve that image I get the following.


Now, oddly enough, I went to my old machine and had no problems getting the data, thus I know it's good in the archive, but for some reason it wouldn't let me pull it out. First time this has happened to me.

BTW, 1Password is one of those pieces of software I cannot live without, it's awesome and made my task tonight so much easier.
__________________
Last edited by CylonGlitch : Tomorrow at 37:05 AM.
MRoogle
CylonGlitch is offline   0 Reply With Quote
Old Feb 20, 2013, 09:32 AM   #37
AGKyle
macrumors regular
 
Join Date: Jun 2012
 
see vendor information in user profile
Quote:
Originally Posted by CylonGlitch View Post
Just tonight I found the first issue with 1Password. I got a new MBP for work, so I set everything up, and I have been using 1Password on Dropbox so all has been great in terms of syncing. Now I had the task of installing my software I use on the new machine. I didn't want to copy over the preferences, I wanted a clean install. One application that I use is called CuteClips3; nice little clipboard manager app. But it's registration code is an image, not a serial number. Anyway, in the past I had added the image file to my CuteClips3 software item in 1Password. Today when I went to retrieve that image I get the following.
Image

Now, oddly enough, I went to my old machine and had no problems getting the data, thus I know it's good in the archive, but for some reason it wouldn't let me pull it out. First time this has happened to me.

BTW, 1Password is one of those pieces of software I cannot live without, it's awesome and made my task tonight so much easier.
That's not fun. Just a heads up that this may require that you contact us directly for support as I may need some more information that we don't want to post to a public forum.

How did you try to export the image?

The easiest way is to just drag the file from 1Password to your Desktop. Though if it's an image you could just double click it and open it in the application that is set to open JPG images. I'm guessing you have to drag the image into the application to get it to register. So, I'd go the drag to Desktop, then drag to application option. This _should_ work, but if it isn't we'll need to get some more information and I'll have you PM and I'll send an email from our support site so I can monitor the discussion and help right away.
__________________
Kyle
AgileBits - Makers of 1Password
http://support.agilebits.com
AGKyle is offline   0 Reply With Quote
Old Feb 20, 2013, 09:42 AM   #38
CylonGlitch
macrumors 68030
 
CylonGlitch's Avatar
 
Join Date: Jul 2009
Location: SoCal
Quote:
Originally Posted by AGKyle View Post
That's not fun. Just a heads up that this may require that you contact us directly for support as I may need some more information that we don't want to post to a public forum.
Not a problem, I'll PM you.

I think I have realized what has happened. Since it was a new install, I pointed 1Password at the dropbox folder. BUT I didn't stop to think that maybe dropbox wasn't fully synced yet. I was able to get to the core of the files and thus why 1Password mostly worked, but when I tried to pull out something larger, it wouldn't work (dragging to desktop, export, anything resulted in the same error).

I just retried, the machine was on all night for other things, and now it works fine. I'm guessing the dropbox sync was in progress before and now it's not.

So chalk this one up as User Error, I was impatient.
__________________
Last edited by CylonGlitch : Tomorrow at 37:05 AM.
MRoogle

Last edited by CylonGlitch; Feb 20, 2013 at 09:47 AM.
CylonGlitch is offline   0 Reply With Quote
Old Feb 20, 2013, 10:07 AM   #39
AGKyle
macrumors regular
 
Join Date: Jun 2012
 
see vendor information in user profile
Quote:
Originally Posted by CylonGlitch View Post
Not a problem, I'll PM you.

I think I have realized what has happened. Since it was a new install, I pointed 1Password at the dropbox folder. BUT I didn't stop to think that maybe dropbox wasn't fully synced yet. I was able to get to the core of the files and thus why 1Password mostly worked, but when I tried to pull out something larger, it wouldn't work (dragging to desktop, export, anything resulted in the same error).

I just retried, the machine was on all night for other things, and now it works fine. I'm guessing the dropbox sync was in progress before and now it's not.

So chalk this one up as User Error, I was impatient.
I think we all get impatient from time to time. Nothing necessarily wrong with that

Just so everyone else reading along can know some details.

1Password's data file is technically a "bundle" in OS X. It appears to be a file, but in reality it's a folder with a bunch of files in it. You can tell if something is a bundle by right clicking it and seeing "Show Package Contents" in Finder. This indicates a bundle. All applications are bundles in OS X.

What this means is that as CylonGlitch pointed out if the sync with Dropbox isn't complete there may be files inside the bundle that aren't available yet Once the download completes with Dropbox it'll work as expected.

In this case the error probably could've been more informative. We probably won't get this changed in version 3, but I've added it to my list of things to try to test in version 4 and see if we can improve the error messages more there.
__________________
Kyle
AgileBits - Makers of 1Password
http://support.agilebits.com
AGKyle is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Applications > Mac Applications and Mac App Store

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 07:41 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC